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Introduction 


Objective 

The object of this Handbook is to provide some definitive assistance to Health 
Authorities in handling their responsibilities under the Data Protection Act, 1984. 
They have been prepared using the material available from the Office of the Data 
Protection Registrar together with the experience of a number of those who have 
been involved in the implementation of the Data Protection Act within the National 
Health Service. It is not claimed that this guidance is complete, nor that it is a 
definitive legal interpretation of the requirements of the Act, but rather that it 
forms a practical basis for managers in handling their responsibilities with a 
minimum of duplicated effort. 


The Handbook is intended to be treated as a reference manual and hence there is 
some duplication of material in various parts of the Handbook to avoid excessive 
cross referencing. 


Up-Dating and Enquiries 

The Handbook will be up-dated in the light of formal decisions of the Registrar and 
the Data Protection Tribunal, accumulating case law as the courts decide on issues of 
law and interpretation and on developments within the National Health Service. 


Any query regarding the contents of this Handbook should be addressed to: 


The NHS Centre for Information Technology 
19 Calthorpe Road 

Edgbaston 

Birmingham B15 1RP 

tel: 021-454-1112 
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Chapter 1 
The Data Protection Act 


1.1 Introduction 

The Data Protection Act, 1984 received the Royal Assent on 12 July 1984 thus 
' creating a legal framework around computer held personal information after many 
years of discussion. The objective of the Act is 


"to regulate the use of automatically processed information 
relating to individuals and the provision of services in respect of such 
information". 


The Act provides for the appointment of a Data Protection Registrar with wide 
powers of supervision and enforcement. It, also, enabled the United Kingdom to 
ratify the Council of Europe Convention for the Protection of Individuals with 
regard to Automatic Processing of Personal Data. 


The Act establishes new legal rights for individuals with regard to Personal Data 
processed by the use of automatic data processing equipment. The individual may:- 


seek compensation for damage and any associated distress 
caused by the loss, destruction or unauthorised disclosure of 
data or by inaccurate data 


apply for the rectification or erasure of inaccurate data 
obtain access to data of which he is the subject 


At the time of the passing of the Act there were worries about the lack of an 
adequate organisation to enforce it, about the lack of an associated Code of Practice 
and about the exclusion of manual records from its scope. Whether these are 
serious problems will emerge over the next few years but present evidence suggests 
that various Codes of Practice will be developed in due course, that the Registrar's 
organisation will gear itself up to the level of activity required and that 
organisations will have to think through a policy on their handling of manual 
records to avoid obvious and illogical inconsistencies between manual and computer 
held information. The DHSS Code of Confidentiality of Personal Health 
Information is expected to emerge during 1987 and this will have an important 
effect on the handling of all Health Data. 
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The “appointed day", on which registration commenced, was determined by the 
Home Secretary as 11 November 1985. The initial phase of registration was 
completed by 11 May 1986 and the final phase of the implementation of the Act 
takes place on 11 November 1987 when the Registrar's powers of supervision and 
direction become fully operational, when any Notices served previously under the 
Act take effect and when the Act's provisions for individuals to obtain access to 
their computer records become effective. 


Copies of the Data Protection Act 1984 are obtainable from Her Majesty's 
Stationery Office, London [ISBN 0 10 543 5848]. 
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1.2 A Guide to the Data Protection Act 1984 

The Data Protection Registrar has issued a number of useful publications about the 
Data Protection Act 1984 and these provide the easiest means of understanding the 
Act and its implications. It is intended that these publications will form a readily 
available source of up-to-date information on the Act. It is, therefore, neither 
useful nor practicable to attempt to reproduce their contents or to paraphrase them. 
However, it is important that everyone involved with the implementation of the Act 
should have a working knowledge of this basic material in order to take sensible 
decisions and to know when more detailed advice is necessary. The Registrar's 
words, or the words of the Act, are used where appropriate in attempting to provide 
this basic understanding of the concepts of the Data Protection Act 1984. In 
addition, copious use has been made of diagrams to illustrate the linkage between the 
various concepts and components of the Act. 


There is a fast growing collection of books on Data Protection and a full 
bibliography is provided with this Handbook but the publications currently 
available from the Office of the Data Protection Registrar are as follows:- 


Notes to Help you Apply for Registration September 1985 
Guideline 1 Introduction to the Act March 1987 
Guideline 2 The Definitions March 1987 
Guideline 3 The Register and Registration March 1987 
Guideline 4 The Data Protection Principles March 1987 
Guideline 5 Individuals Rights March 1987 
Guideline 6 The Exemptions March 1987 
Guideline 7 Enforcement and Appeals March 1987 
Guideline 8 Summary for Computer Bureaux March 1987 


The following earlier publications, which have been widely distributed, are no 
longer in print and have now been replaced:- 


Guideline 1 Introduction and Guide to the Act February 1985 
Questions and Answers on the Act 1-20 September 1985 
Questions and Answers on the Act 21-34 February 1986 


These Guidelines, between them, cover all the basic issues involved in the 
inplementation of the Data Protection Act 1984. They are now widely available and 
readily understood. 
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1.3 The Definitions in the Data Protection Act 1984 
The Act assigns special legal definitions to some terms which have less formal 
meanings in common usage (eg Data User). These terms are given in detail in the 
Glossary but they are illustrated in fig 1.1. 


Conceptually the Act defines (in Section 1) the key activity as that of processing 
Personal Data by reference to a living individual (defined as the Data 
Subject). The logical sequence is as follows:- 


Processing has a conventional meaning as that of amending, 
augmenting, deleting or re-arranging data or 
extracting information constituting the data 


Data is information recorded in a form in which it can 
be processed by equipment operating automatically in 
response to instructions given for that purpose 


Personal Data is data which relates to a living individual 


The activity of "processing Personal Data with reference to a living 
individual" constitutes the basic activity that requires registration under the Act. 
The organisations, or individuals, concerned with this process are as follows:- 


Data User is the person who controls the collection of 
Personal Data and the uses to which it is put 


Computer Bureau is a person who causes Personal Data to be 
processed for a Data User or who allows a Data 
User to process data on his equipment 


Data Subject is a living individual about whom Personal Data is 
held by a Data User for processing 


The Act imposes certain obligations on Data Users and Computer Bureaux. It 
causes Data Users to be open about their use of Personal Data (through 
registration) and to maintain good practice (defined in certain principles) in relation 
to Personal Data they hold. The Act does not seek to prevent Data Users from 
using Personal Data for legitimate purposes providing that they are appropriately 
registered and they operate in accordance with the principles. 


A Data User must register his holding of Personal Data together with the 
purposes for which he holds it. He must also register the sources from which he 
may get these data, those to whom he may disclose the data and the countries or 
territories outside the United Kingdom to which he may transfer the data and he 
must observe the Eight Data Protection Principles. 


4 Chapter1 NHS Data Protection Handbook [version 3.0] - May 29, 1987 


A Computer Bureau must register under the Act and observe the Eighth Data 
Protection Principle concerned with the security and integrity of any Personal 
Data processed by the Computer Bureau. The Data Subject has the right to be 
informed if a particular Data User holds Personal Data of which he is the 
subject and to be supplied with an intelligible copy of any such Personal Data. 


However, the Act does restrict Data Users in the way that they disclose 
‘information from their data holding. Disclosing has a special meaning within the 
Act as follows:- 


Disclosing, in relation to data, includes disclosing information 
extracted from the data; where the identification of 
the individual who is the subject of Personal Data 
depends partly on the information constituting the 
data and partly on other information in the possession 
of the Data User, the data shall not be regarded as 
disclosed or transferred unless the other 
information is also disclosed or transferred. 


There are many obscure aspects of these various definitions that will engage the 
attentions of the specialists and lawyers. Detailed cross-references are given to the 
fuller text of these definitions in the glossary but the above working definitions are 
enough for a basic understanding of the Act. 
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1.4 The Eight Data Protection Principles 

The Eight guiding principles for handling Personal Data are indicated in fig 1.2. 
Although they all seem eminently reasonable it is surprising how powerful they are 
as a body for assessing the way in which Personal Data has been handled. The 
Seventh Principle is concerned with the access by Data Subjects to their computer 
records and the Eighth Principle is concerned with the security of the records. The 
Eighth Principle is the only one relevant to Computer Bureaux. 


The Data Protection Principles are described in Part I of schedule 1 of the Act as 
follows:- 


Data Protection Principles 


Personal Data Held by Data Users 


"1 The information to be contained in Personal Data shall be obtained, and 
Personal Data shall be processed, fairly and lawfully. 


2 Personal Data shall be held only for one or more specified and lawful 
purposes. 


3. Personal Data held for any purpose or purposes shall not be used or 
disclosed in any manner incompatible with that purpose or those purposes. 


4 Personal Data held for any purpose or purposes shall be adequate, relevant 
and not excessive in relation to that purpose or those purposes. 


5 Personal Data shall be accurate and, where necessary, kept up to date. 


6 Personal Data held for any purpose or purposes shall not be kept for longer 
than is necessary for that purpose or those purposes. 


7 An individual shall be entitled- 
a at reasonable intervals and without undue delay or expense- 
i to be informed by any Data User whether he holds 
Personal Data of which that individual is the subject; 
and 


li to access to any such data held by the Data User; and 


b where appropriate, to have such data corrected or erased 
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Personal Data Held by Data Users or in Respect of 
which Services are Provided by Persons Carrying on 
Computer Bureaux 
8 Appropriate security measures shall be taken against unauthorised access to, or 
alteration, disclosure or destruction of, Personal Data and against accidental loss or 
destruction of Personal Data.” 


Part I of schedule 1 of the Act provides an interpretation of some aspects of these 
principles:- 


Interpretation 


The First Principle 
1 (1) Subject to sub-paragraph (2) below, in determining whether 
information was obtained fairly regard shall be had to the method by which it was 
obtained, including in particular whether any person from whom it was obtained 
was deceived or misled as to the purpose or purposes for which it is to be held, used 
or disclosed. 


(2) Information shall in any event be treated as obtained fairly if it is 
obtained from a person who- 


a is authorised by or under any enactment to supply it; or 


b is required to supply it by or under any enactment or by any 
convention or other instrument imposing an international 
obligation on the United Kingdom; 


and in determining whether information was obtained fairly there shall be 
disregarded any disclosure of the information which is authorised or required by or 
under any enactment or required by any such convention or other instrument as 
aforesaid. 


The Second Principle 
2 Personal Data shall not be treated as held for a specific purpose unless that 
purpose is described in particulars registered under this Act in relation to the data. 
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The Third Principle 
3 Personal Data shall not be treated as used or disclosed in contravention of this 
principle unless- 


a used otherwise than for a purpose of a description registered under this 
Act in relation to the data; or 
b disclosed otherwise than to a person of a deseription so registered. 

The Fifth Principle 


4 Any question whether or not Personal Data are accurate shall be determined as 
for the purposes of section 22 of this Act but, in case of such data as are mentioned 
in subsection (2) of that section, this principle shall not be regarded as having been 
contravened by reason of any inaccuracy in the information there mentioned if the 
requirements specified in that subsection have been complied with. 


The Seventh Principle 
5 61 Paragraph (a) of this principle shall not be construed as conferring any 
rights inconsistent with section 21 of this Act. 


2 In determining whether access to Personal Data is sought at reasonable 
intervals regard shall be had to the nature of the data, the purpose for 
which the data are held and the frequency with which the data are altered. 


3 The correction or erasure of Personal Data is appropriate only where 
necessary for ensuring compliance with the other Data Protection 
Principles. 


The Eighth Principle 
6 Regard shall be had - 


a to the nature of the Personal Data and the harm that would result from 
such access, alteration, disclosure, loss or destruction as are mentioned in 
this principle; 

and 


b to the place where the Personal Data are stored, to security measures 
programmed into the relevant equipment and to measures taken for 
ensuring the reliability of staff having access to the data. 
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Use for Historical, Statistical or Research Purposes 
7 Where Personal Data are held for Historical, Statistical or Research purposes 
and not used in such a way that damage or distress is, or is likely to be, caused to any 
Data Subject- 


a the information contained in the data shall not be regarded for the 
purposes of the first principle as obtained unfairly by reason only that its 
use for such purpose was not disclosed when it was obtained: and 


b the data may, notwithstanding the sixth principle, be kept indefinitely." 
The Registrar's Guideline No 4 gives more detailed advice on the implications of the 
Data Protection Principles. However, the interpretation of these principles will 


develop as experience grows of their application in various circumstances and as 
decisions of the Registrar, the Data Protection Tribunal and the courts accumulate. 


Notes: 
Section 21 of the Act deals with Subject Access rights 


Section 22 of the Act deals with compensation for damage and distress regarding the 
Fifth Data Protection Principle. 
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1.5 Registration under the Act 

Registration under the Act started on 11 November 1985. This has been organised 
by the Registrar in such a fashion that most organisations will be able to utilise the 
coded categories for describing their holding of Personal Data and their purposes 
for holding it. The basic registration forms issued by the Registrar are:- 


DPR 1 PartA which records the names and addresses of either Data 
Users or Computer Bureaux together with the addresses 
for Subject Access in the case of Data Users only 


DPR 1 Part B which is only required by Data Users and records the 
purposes of the data holding, the Data Subjects, the 
classes of Personal Data, the sources of the Personal Data 
and the disclosures made of it together with any overseas 
transfers of Personal Data 


Valid DPR1 A Forms 

A valid form requires a signature from the legal person registering together with 
the registration fee, currently £22. It is necessary to indicate whether the 
application is for registration as a Data User or a Computer Bureau or as both (in 
many cases it would be sensible for Data Users to register additionally as a 
Computer Bureau because it is so easy to find oneself processing data for others or 
loaning them equipment to allow them to do so for themselves - in this case they 
simply tick the first box in section Al). The official address of the person 
registering is required in section A2 and a name and address of a Data Protection 
contact can be given in A3. It is, also, possible to relate the application to a 
particular part or sub-division of and organisation in section A6. The normal 
period of registration is three years and there is little value in requesting a shorter 
period. In addition, they must list any relevant addresses for Subject Access 
applications (this may only involve ticking box A2 or A3 in section A8). 


Only those registering as Data Users are required to attach DPR1 Part B forms with 
their application and they must specify how many Part B forms are attached to each 
Part A form. 


Valid DPR1 Part B Forms 

There are two basic approaches offered by the Registrar. The first, and strongly 
preferred, approach is for Data Users to select one of the standard descriptions 
listed in the Registrar's "Notes to help you apply for Registration". The 
second approach is for the Data User to describe each item in his own words but it is 
worth noting that applications involving text will be closely scrutinised by the 
Registrar and are more likely to require further clarification. 


If free text is to be used it is important to try to avoid terms that may be unfamiliar 
to Data Subjects. The key issues in relation to Personal Data in the data holding to 
be recorded are as follows. 
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Purpose(s) 

The standard purposes listed by the Registrar are described on pages 13 to 
38 of his Notes. For each Part B form it is necessary to select the 
purpose that most accurately describes the reason for which the data is 
held and this should be entered in section B1. It is not necessary that a 
Data User should register under all the standard purposes that could apply 
to his activities but that a complete and accurate picture is given of his 
activities all of which should be covered under one or other of his 
registrations. 


In these notes each standard purpose is given with examples of typical activities 
which would fall within the scope of that code. The list is neither 
comprehensive nor exhaustive but it is intended that Data Users should select 
the purpose, or purposes, that most closely describe his use of the Personal 
Data. Some standard purposes require further details to be given and these 
are marked with an asterisk (*). Where this is the case it is necessary that 
additional information should be given in section B1 just below the standard 
purpose. Failure to provide such information will invalidate the application 
form. 


All standard purposes include "analysis for management purposes 
and statutory returns" to avoid the need for additional registration 
specifically covering this very common requirement. 


Where it is not possible to select an entry that properly covers all the 
activities then additional Part B forms must be made out to register the 
additional purposes even where the data classes, the sources, 
disclosures and overseas transfers are identical. It is important 
to note that a single computer system may require several Part B forms for 
different registration purposes while, in other circumstances, a single Part B 
form may be sufficient for several quite different computer systems where a 
single common purpose is involved. 


Data Subjects 

The Data Subjects are categorised on the form itself in section B1 from S001 to 
S040 in a self-evident fashion. No additional information is available on these 
categories at present but they allow for Data Subjects who come within 
these categories currently, previously or potentially. The primary 
relationship between the Data Subject and the Data User is the one that 
should be recorded in section B2. More than one category of Data Subject 
can be recorded on a single form. 
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Data Classes 

Section B2 deals with the classes of Personal Data held for this purpose. 
They are elaborated in the Registrar's Notes on pages 39-45 as classes 
C001-C132. The last item C132 Uncategorised Information is designed to 
deal with items like correspondence, files and reports held as data but not 
organised by reference to any specific data type. This applies to electronic 
mail and word processed material but should not be used to avoid 
registration of specific Data Classes known to be contained in the files. 


Sources and Disclosures 

Section B3 lists a variety of possible sources of data and corresponding 
disclosures D101-D382 with column A for the sources and column B for 
the disclosures. No additional amplification for these categories is yet 
available from the Registrar but they are substantially self-explanatory. In 
some cases, again where marked by an asterisk (*), it is necessary to 
give further details relating to particular categories of source or 
disclosure. 


Overseas Transfers 

The final section, B4, is concerned only with transfers of Data, i.e. 
computer processable information on, say magnetic tape or disc or via a 
network. The passing of information rather than data would require 
listing as a disclosure rather than as a transfer. The United Kingdom 
includes England, Wales, Scotland and Northern Ireland. For the 
purposes of the Act the Channel Islands and the Isle of Man are regarded as 
Overseas. 


It should be noted that some Computer Bureaux make extensive use of 
Overseas computing power. If this is the case with your Computer 
Bureau, your registration must reflect this possibility before you allow it to 
process your Personal Data. 


Mechanics 
All registration must be on original forms issued by the Registrar's office 


Office of the Data Protection Registrar 

Springfield House, Water Lane, WILMSLOW 

Cheshire, SK9 5AX 

tel 0625-535777 (enquiries) or 0625-535711 (administration) 


but they should all be photocopied before dispatch as copies will be 
required, not only for reference, but also for inclusion in User Manuals for 
staff and to be made available to other organisations needing details of your 
registration. Two address labels are required for acknowledgement and 


enquiry purposes. 
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The label and the associated Part B forms all should carry the reference 
number from the Part A form and each group of forms associated with a 
Part A form should be sent in a separate envelope. In the initial round of 
registration the Registrar accepted as effective any valid applications that 
had been posted by recorded delivery by the due date of 11 May 1986. 


Alterations or Amendments 

The Registrar must be notified immediately on any change of address - 
otherwise an offence has been committed. A registration cannot be amended 
until the Registrar has acknowledged the receipt of the application 
and provided a registrar's reference number for the entry in the register 
(the reference on the Part A form is a purely temporary link number not a 
continuing reference number). 


Changes to the register can be made using forms DPR2 either alone or in 
conjunction with DPR1 Part B forms where this makes the change more 
readily understood. The registrar's office will issue renewal reminders when 
they fall due. 
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1.6 Exemptions under the Act 

The concept of the usage of data embodied in the Act is a novel, and rather 
unfamiliar, one by comparison with the more clearcut concepts of owning or 
operating a computer. It was, thus, necessary to limit the scope of the Act in a 
number of ways in order to make it effective, workable and relevant. An 
understanding of these exemptions is important but it should generally be expected 
that NHS systems should be registered rather than be covered by some exemption. 


The four categories of exemption, outlined in figs 1.3-1.6 at the end of chapter 1, 
are as follows:- 


1 Unconditional exemptions from the Act as a whole 
2 Conditional exemptions from the Act as a whole 
3 Exemptions from the Subject Access provisions 
4 Exemptions from the "non-disclosure" provisions 


Although it is not possible to reproduce the whole of the relevant material an 
attempt has been made to quote the most important section of the Act relating to 
these exemptions together with the relevant references. 


It should be noted, generally, that under Section 34 (9):- 


"A person need not comply with a Notice, Request or Order under the Subject 
Access provisions if compliance would expose him to proceedings for any offence 
other than an offence under this Act; and any information disclosed by any person 
with such a Notice Request or Order shall not be admissible against him in _ 
proceedings for an offence under this Act." 


and, with respect to Subject Access, that under Section 26(4):- 


"Except as provided by this part of the Act the Subject Access provisions shall apply 
notwithstanding any enactment or rule of law prohibiting or restricting the 
disclosure, or authorising the withholding, of information." 


and, regarding the liability of senior officers, Section 20 (1) specifies:- 


"Where an offence under this Act has been committed by a body corporate and is 
proved to have been committed with the consent or connivance of or to be 
attributable to any neglect on the part of any director, manager, secretary or similar 
officer of the body corporate or any person who was purporting to act in any such 
capacity, he as well as the body corporate shall be guilty of that offence and be liable 
to be proceeded against and punished accordingly" 
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The following sections of Chapter 1, dealing with exemptions under the Act, should 
be read in conjunction with Section 2.8 where the likely implications of the 
exemptions for the NHS are examined. 
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1.7 Unconditional Exemptions 

Taking the exemptions from the Act as a whole as outlined in fig 1.3 the first 
exemption is unlikely to apply to the NHS. The second unconditional exemption 
(Section 34 (1)) relates to "Personal Data held by any person....which that person is 
required by or under any enactment to make available to the public." This 
exemption only applies to the individual, or organisation, performing some 
required function. Any other person processing the same Personal Data is not 

- exempt. 


The third unconditional exemption (Section 33 (1)) concerns "Personal Data held 
by an individual and concerned only with the management of his personal, family or 
household affairs or held by him for recreational purposes". This exemption does 
not extend to any business affairs of the individual or family and it does not apply to 
doctors or other NHS staff using home computers for Authority business. This 
must be registered by the Authority if this is either encouraged or allowed under the 
Authority's Code of Practice. 
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1.8 Conditional Exemptions 
The Conditional Exemption for Payments and Accounts is defined (Section 32) 
as Personal Data held for:- 


"a calculating amounts payable by way of remuneration or pensions in 
respect of service in any employment or office or making payments of, or 
sums deducted from, such remuneration or pensions; or 


b keeping accounts relating to any business or other activity carried on 
by the Data User or keeping records of purchases, sales or other transactions 
for the purpose of ensuring that the requisite payments are made by or to 
him in respect of those transactions or for the purpose of making financial 
or management forecasts to assist him in the conduct of any such business 
or activity." 


The condition of this exemption is that these data shall not be used for any other 
purpose and that they shall not be disclosed other than:- 


"a for the purposes of audit or where the disclosure is for the purpose 
only of giving information about the Data User's financial affairs"; or 


b as permitted by the non-disclosure exemptions described below 
In addition the payroll exemption extends to the following disclosures:- 


"a to any person, other than the Data User, by whom the remuneration or 
pensions in question are payable; 


b for the purposes of obtaining actuarial advice; 


c for the purpose of giving information as to the persons in any 
employment or office for use in medical research into the health of, or 
injuries suffered by, persons engaged in particular occupations or working 
in particular places or areas; 


d if the Data Subject (or a person acting on his behalf) has requested or 
consented to the disclosure of the data either generally or in the circumstances 
in which the disclosure in question is made; or 


e if the person making the disclosure has reasonable grounds for 
believing that the disclosure falls within paragraph (d) above". 


These restrictions are very specific and exclude multi-purpose payroll and 
accounting systems used in large organisations. Any disclosure outside those 
specified, such as to the DHSS for instance, immediately disqualifies the Data User 
from claiming this exemption. 
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This exemption will not be relevant to any significant number of Health Authority 
finance systems as they are used for a variety of other purposes outside the 
conditions of the exemption. Furthermore, the allowed disclosures does not include 
disclosures for the purpose of maintaining the system. Only a few “ minor NHS 
systems could claim this exemption. 


The exemptions relating to Unincorporated Clubs and Mailing Lists are 
_ exempted (Section 32 (2)-(4)) as follows:- 


"a Personal Data held by an unincorporated members’ club and relating 
only to members of the club; and 


b Personal Data held by a Data User only for the purpose of distributing, 
or recording the distribution of, articles or information to Data Subjects 
and consisting only of their names, addresses or other particulars 
necessary for effecting the distribution” 

The conditions of these exemptions are that the Data Subject 


"has been asked by the club or Data User whether he objects to the data 
relating to him being held as mentioned in that paragraph [a or b above] 
and has not objected" and 

"a the Data Subject ( or a person acting on his behalf ) has requested or 
consented to the disclosure of the data either generally or in the circumstances 
in which the disclosure in question is made; 


b if the person making the disclosure has reasonable grounds for 
believing that the disclosure falls within paragraph (a) above;" or 


c as permitted by the non-disclosure exemptions described below 
An additional condition on the Mailing List exemption is that 


"the data are not used for any purpose other than that for which they are 
held" 


Breaches of these conditions shall not result in the loss of these exemptions if the 
"Data User shows that he had taken such care to prevent it [unauthorised 


use of a Mailing List or unauthorised disclosure] as in all the circumstances 
was reasonably required" 
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In order to meet these requirements it will be necessary to make the admission 
arrangements such that they clarify the uses for which the club processes members 
Personal Data. Regarding Mailing Lists, the starting point should be a request or 
consent from the Data Subject and then a routine mailshot (possibly annually) 
inviting information about changes of address and listing an address to which the 
Data Subject can write in order to have his name removed from the list should cover 
the basic requirements. Unauthorised use or disclosure are matters for internal 
controls. Many Authorities maintain a variety of mailing lists which could qualify 
for this exemption provided no additional information, such as telephone numbers, 
is included and provided that they are not used for other purposes. A few associated 
clubs might also qualify for the unincorporated club exemption. 


The "Word Processing Exemption" 

The so-called Word Processing exemption is not really an exemption in the sense of 
the exemptions listed above but rather it arises from the definition of "processing" 
in section 1 of the Act as follows:- 


"7 "Processing", in relation to data, means amending, augmenting, 
deleting, or re-arranging the data or extracting the information 
constituting the data and, in the case of Personal Data, means performing 
any of these operations by reference to the Data Subject. 


8 Subsection (7) above shall not be construed as applying to any 
operation performed only for the purpose of preparing the text of 
documents." 


If correspondence is not erased as soon as sufficient copies have been produced, it is 


likely that it will be looked up and hence this will involve an operation not covered 
in subsection (8) above and is therefore registerable. 
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1.9 Subject Access Exemptions 
The exemptions from the Subject Access provisions of the Act are illustrated in fig 
1.4 and they can best be described as follows:- 


Law/Revenue Enforcement (Section 28) 
"1 Personal Data held for any of the following purposes- 


a the prevention or detection of crime; 
b the apprehension or prosecution of offenders; or 
c the assessment or collection of any tax or duty, 


are exempt from the Subject Access provisions in any case in which the application 
of those provisions would be likely to prejudice any of the matters mentioned in this 
subsection”. However, so far no NHS systems have emerged that might qualify for 
this exemption. 

Judicial Appointments (Section 31 (1)) - not relevant to NHS 

Legal Privilege (Section 31 (2)) - relevant only to NHS legal advisers 


Statistics and Research (Section 33 (5)) 


"Personal Data held only for- 
a preparing statistics; or 
b carrying out research, 


are exempt from the Subject Access provisions; but it shall be a condition of that 
exemption that the data are not used or disclosed for any other purpose and that the 
resulting statistics or the results of the research are not made available in a form. 
which identifies the Data Subjects or any of them". This exemption might have 
widespread relevance to NHS and save a considerable amount of Subject Access 
where the Personal Data are only used for this purpose. However, any additional 
usage, for instance in the clinical care of patients, will, of course, destroy the claim 
for exemption from Subject Access. 


In the Registrar's view any strictly necessary disclosure to a computer systems 
maintenance engineer in order to ensure the continued operation of the system is not 
to be treated as a disclosure which would invalidate this exemption but rather as an 
essential requirement for the purpose of operating the system. 
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Prohibited by Law (Section 34 (2)) 

"The Secretary of State may order exemption from the Subject Access provisions 
Personal Data consisting of information the disclosure of which is prohibited or 
restricted by or under any enactment if he considers that the prohibition or 
restriction ought to prevail over those provisions in the interests of the Data Subject 
or of any other individual". 


Covered by the Consumer Credit Act 1974 (Section 34 (3)) - not likely to 
apply to the NHS. 


Back Up (Section 34 (4)) 

"Personal Data are exempt from the Subject Access provisions if the data are kept 
only for the purpose of replacing other data in the event of the latter being lost, 
destroyed or impaired". 


Data held by Regulatory Bodies (Section 30) - not likely to apply to the NHS. 


Examination Marks (Section 35) This section refers to “any process for 
determining the knowledge, intelligence; skill or ability of a candidate by reference 
to his performance in any test, work or other activity” [Section 35 (5)]. It does not 
convey any Subject Access exemption but it allows additional time in which the 
Subject Access process may be completed as follows:- 


"Where the period mentioned in subsection (6) of Section 21 begins before the 
results of the examination are announced that period shall be extended until- 


(a) the end of five months from the beginning of that period; or 

(b) the end of forty days after the date of the announcement, 
whichever is the earlier" [Section 35(2)]. 
There is a price to be paid for this extension because it is necessary to keep a record 
of all modifications to the Personal Data from the time at which the request is made 
until the time at which the Personal Data is supplied:- 
"....the information supplied pursuant to the request shall be supplied both by 
reference to the data in question at the time when the request is received and (if 


different) by reference to the data as from time to time held in the period beginning 
when the request is received and ending when it is complied with." [Section 35(3)]. 
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1.10 Non-Disclosure Exemptions 

These exemptions are closely linked with other exemptions under the Act, in some 
cases they can be seen as defining the meaning of "disclosure" within the terms of 
the Data Protection Act. 


Revenue/Law Enforcement (Section 28 (3)) 
"Personal Data are exempt from the Non-disclosure provisions in any case in 


_ which- 


a the disclosure is for any of the purposes mentioned in subsection (1) 
[listed under the Subject Access exemptions]; and 


b the application of those provisions in relation to the disclosure would be 
likely to prejudice any of the matters mentioned in that subsection; 


and in proceedings against any person for contravening a provision mentioned in 
section 26(3)(a) above it shall be a defence to prove that he had reasonable grounds 
for believing that failure to make the disclosure in question would have been likely 
to prejudice any of those matters”. 


National Security (Section 27 (3)-(4)) - not likely to be relevant to NHS 


Required by Law (Section 34 (5)) 
“Personal Data are exempt from the Non-disclosure provisions in any case in which 


the disclosure is- 


a required by or under any enactment, by any rule of law or by order of 
a court; or 


b made for the purpose of obtaining legal advice or for the purposes of, 
or in the course of, legal proceedings in which the person making the 
disclosure is a party or a witness". 


Requested by the Data Subject/Agent (Section 34 (6)) 
"Personal Data:are exempt from the Non-disclosure provisions in any case in 


which- 
a the disclosure is to the Data Subject or a person acting on his behalf; or 


b the Data Subject or any such person has requested or consented to the 
particular disclosure in question"; or 


d the person making the disclosure has reasonable grounds for believing 
that the disclosure falls within any of the foregoing paragraphs of this 
subsection". 
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Data Users Servants (Section 34 (6)(c)) 
"Personal Data are exempt from the Non-disclosure provisions in any case in 
which- 


c the disclosure is by a Data User or a person carrying on a Computer 
Bureau to his servant or agent for the purpose of enabling his servant or 
agent to perform his functions as such; or 


d the person making the disclosure has reasonable grounds for believing 
that the disclosure falls within any of the foregoing paragraphs of this 
subsection”. 


Prevention of Injury/Damage to Health (Section 34 (8)) 

"Personal Data are exempt from the Non-disclosure provisions in any case in which 
the disclosure is urgently required for preventing injury or other damage to health 
of any person or persons; and in proceedings against any person for contravening a 
provision mentioned in section 26(3)(a) above it shall be a defence to prove that he 
had reasonable grounds for believing that the disclosure in question was urgently 
required for that purpose”. 
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1.11 Orders under the Act 

There are a variety of Orders that the Secretary of State may make (see fig 1.6) 
which have the possibility of altering substantially the operation of the Data 
Protection Act 1984. However, the most important orders for the NHS are listed 
below. At the present time no Orders under these Sections of the Act have been 
made but it is expected that Orders will be laid before Parliament in time to become 
effective from the time at which the Subject Access provisions become effective [11 
November 1987]. 


Physical or Mental Health Data [Section 29 (1)] 

val The Secretary of State may Order exempt from the Subject Access 
provisions, or modify those provisions in relation to Personal Data 
consisting of information as to the Physical or Mental Health of the Data 
Subject”. 


Social Work Data [Section 29(2)] 

"2 The Secretary of State may Order exempt from the Subject Access 
provisions, or modify those provisions in relation to, Personal Data of such 
other descriptions as may be specified in the Order, being information - 


(a) held by government departments or local authorities or by 
voluntary organisations or other bodies designated by or under 
the Order; and 


(b) appearing to him to be held for, or acquired in the course of, 
carrying out social work in relation to the Data Subject or other 
individuals; 


but the Secretary of State shall not under this subsection confer any exemption 
or make any modification except so far as he considers that the application to 
the data of those provisions (or of those provisions without modification) 
would be likely to prejudice the carrying out of social work." 


Additional Safeguards [Section 2(3)] 

"The Secretary of State may by Order modify or supplement those principles 
for the purpose of providing additional safeguards in relation to Personal Data 
consisting of information as to - 


(a) the racial origin of the Data Subject; 

(b) his political opinions or religious or other beliefs; 
(c) _ his physical or mental health or sexual life; or 

(d) his criminal convictions, 


and references in this Act to the Data Protection Principles include, except 
where the context otherwise requires, references to any modified or additional 
principle having effect by virtue of an Order under this Section." 
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Mental Incapacity [Section 21(9)] 

"The Secretary of State may by Order provide for enabling a request under 
this Section to be made on behalf of any individual who is incapable by reason 
of mental disorder of managing his own affairs." 
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1.12 Enforcement of the Act 

The first mechanism for enforcement is the appointment of the Registrar and his 
staff. His main duties are outlined schematically in fig 1.7 and he has three specific 
major powers under the Act, outlined in fig 1.8, to enable him to carry out these 
duties effectively. "If the Registrar is satisfied that a registered person has 
contravened or is contravening any of the Data Protection principles" he may serve 
him with an Enforcement Notice [Section 10] or a De-registration Notice [Section 
11] as a means of securing compliance with the Act. He may serve a Transfer 
Prohibition Notice [Section 12)]where he is satisfied that the transfer is likely to lead 
to the contravention of any of the Data Protection principles. The Data Protection 
Tribunal provides a mechanism for Data Users and Computer Bureaux to appeal 
against a refusal of registration or against any Notice issued by the Registrar 
[Sections 13-14]. 


The second major mechanism for the enforcement of the Act are the courts. The 
Act creates 10 new offences as follows:- 


1 Holding Personal Data without being registered or without having 
applied for registration [Data User only-Section 5(1)] 


2 Knowingly or recklessly 
holding data [Data User only-Section 5(1), 5(5)] 


using data, obtaining or disclosing data or transfering data (Data user, his 
servants or agents-Section [5(2), 5(3), 5(5)] 


other than as described in the register entry. 


3 Knowingly or recklessly operating as a Computer Bureau in respect of 
Personal Data without being registered as such [Computer Bureau-Section 


5(1), 5(5)]. 


4 Not keeping a registered address up to date [Data User, Computer Bureau 
Section 6(5)]. 


5 Knowingly or recklessly supplying the Registrar with false or misleading 
information on application for registration or change of particulars [Data 
User, Computer Bureau, their servants or agents Section 6(6)]. 


6 Failure to comply with an Enforcement Notice [Data User, Computer Bureau 
Section 10(9)]. 


7 Failure to comply with a Transfer Prohibition Notice [Data User Section 
12(10)]. 
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8 Knowingly or recklessly disclosing Personal Data without the Data User's 
authority [Computer Bureau Section 15]. 


9 Intentional obstruction of a person executing a warrant [any person Schedule 4 
Section 12(a)]. 


10 Failure, without reasonable excuse, to give reasonable assistance in the 
execution of a warrant [any person Schedule 4 Section 12(b)]. 


The third major means of securing compliance with the Act are the rights of the 
Data Subject to sue through the courts for compensation for damage and associated 
distress arising from: 


i loss of data [Section 23(1)(a)] 


ii destruction of data without the authority of the Data User [Section 
23(1)(b)) 


iii disclosure of, or access to, the data without the authority of the Data 
User [Section 23(1){c), 23(2)] 


iv inaccurate data - ie data which are incorrect or misleading as to any 
matter of fact [Section 22] 


In addition, the courts may order a Data User to comply with a Subject Access 
request [Section 21(8)] or to rectify or erase incorrect data [Section 24]. 


The Act contains an exemption from prosecution clause [Section 38] which the 
Registrar believes will apply to Health Authorities. However, it should be noted that 
Section 38(2) and the Sections of the Act defined there make it clear that Authorities 
and their servants and agents will be guilty of an offence in law if they contravene 
the requirements of the Act. This exemption does not in any way exempt Health 
Authorities from the need to register their data holding and usage or the need for 
them fully to comply with the Act. Their servants and agents can certainly be 
prosecuted even if the Authority itself cannot, and of course the Authority is open to 
claims for compensation for damage and associated distress. Furthermore, Section 
20 might be construed as being applicable to senior officers of the Authority. 
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THE DATA PROTECTION 
ACT 1984 


fig 1.1 Outline of basic concepts 
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fig 1.2 EIGHT PRINCIPLES OF THE DATA 
PROTECTION ACT 1984 
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Unconditional Exemptions — 


National Security 


Personal & Household Affairs 


Conditional Exemptions 


Payments & Accounts 
Unincorporated Clubs [members] 
Mailing lists 


fig 1.3 General Exemptions 
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Subject Access Exemptions 


Law/Revenue Enforcement 
Judicial Appointments 
Legal Privilege 


Solely for Statistics and Research 


Solely for Back-up 
Data held by Regulatory Bodies 


fig 1.4 Subject Access Exemptions 
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Non-Disclosure Exemptions | 


Law/Revenue Enforcement 
Natlonal Security 


fig 1.5 Non-Disclosure Exemptions 
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The Data Protection Act 1984 
Possible Orders 


Section 2 (3) 
Additional Safe dards Relating to 
Raclal Orig 
Political Opinions & Holoinus or Other Beliefs 
Physical or Mental Health or Sexual Life 
Criminal Convictions 


Section 4 (8) 
pai Particulars to be Included In 
e Data Protection Register 


Section 21 (9) 
Requests on behalf of the 
lentally Incapable 


Section 29 (1 


Modified Subject Access OD. ei Sons to 
Physical or Mental Health Data 


Section 29 (2) 
Modified Subject Access Provisions to 
Social Work Data 


Section 30 (2) 
a Subject Access Exemption to protec’ the Public from 
Financlal Loss due to 
Dishonesty, Incompetance or Malpractice In 
Financlal Services, Management of Companies 
or the Conduct of Bankrupts 


Section 34 (2) 
Modified phe ect Access Exemption to 
Information Prohibited or Restricted by Law 


flg 1.6 Orders under The Data Protection Act 1984 
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fig 1.7 The Registrar's Activities 
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Registrar 


Maintain Register of Data Users 
& Computer Bureaux 


Promote Data Protection Principles 


Consider Complaints from 
Data Subjects 


Promote Awareness of Public 
about Data Protection Act 


Encourage Production of 
Codes of Practice 


Co-operate with Parties to 
Council of Europe Convention 


Report Annually to Parliament 
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Powers of the Registrar 


Enforcement Notice 


Transfer Prohibition Notice 


Deregistration Notice 


Data Protection Tribunal 


handles appeals against Registrar's 
refusal of registration 
issue of Data Protection Notices 
decisions on urgency 


fig 1.8 The Registrar's Powers and The Tribunal 
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Chapter 2 
Administration and Implementation within 
the NHS 


2.1 Introduction 
Over the last two decades the National Health Service, like many other 
organisations, has come to rely on the use of effective computer systems and this 
development is accelerating as more and more facilities can be provided by 
computer systems and as more and more cost effective systems become available to 
the Service. It is far too early to be clear how much effort will be required to 
maintain the effective implementation of the Data Protection Act 1984 within the 
NHS especially as the Subject Access provisions have not yet come into force and it 
is, therefore, not clear what volume of Subject Access requests will be normal for a 
Health Authority. Furthermore, the tests of what is reasonable to expect in the way 
of security and other measures required to implement the Act are still to be 
determined by the courts and this, again, will heavily influence the staffing needed 
under the Act. 


However, the following arrangements will cover initial requirements of an 
Authority and it will simply be necessary to provide additional staffing to meet the 
forty day time limit for Subject Access requests [it is expected that the Order 
relating to Personal Health Data will not include any modification to the standard 
time allowed in the Act for Subject Access to other Personal Data] or to meet with 
higher levels of administrative activity in verifying compliance with the Act by the 
various Units and Departments of the Authority. The Guidelines will be up dated as 
further evidence becomes available. 


1 Chapter2 NHS Data Protection Handbook [version 3.0] May 29, 1987 


2.2 Establishment of an Organisation 

The implementation of the Data Protection Act 1984 requires the establishment of 
policies and the effective implementation of them within the Authority. It also 
requires the establishment of formal agreements with related organisations 
(Universities, Local Authorities, FPCs etc.] and a substantial input of clerical, 
technical and managerial time to ensure that the implementation is carried out 
correctly. 


The first step in this process is the establishment of an effective chain of 
administrative responsibility for the various activities to be carried out to ensure 
compliance with the Act. Where the balance of responsibility lies between a 
designated member of staff [or contracted consultants], an appropriate Data 
Protection Steering Group, the chief officers and the Health Authority itself is a 
matter for convenience, efficiency and local decision. Similarly, the balance of 
activity between Heads of Departments, specially designated staff or committees is 
likewise for discussion. 


As a minimum, specific responsibilities and authority to deal with Data Protection 
matters should be clearly allocated with resources appropriate to the size of the task 
within that Authority. The function of co-ordinating the Data Protection activity 
can be organised in various ways to suit the local requirements of the Authority, but 
it is perhaps most easily be described throughout this Handbook as if there were an 
individual Data Protection Co-ordinator, possibly with supporting staff, carrying 
out this co-ordinating function. The legal responsibility for handling Data 
Protection lies with the Health Authority, or other Data User e.g. a general 
practitioner. The Data User must make appropriate arrangements for discharging 
this responsibility. 


The various components of the system most likely to prove satisfactory in the long 
term are indicated in figure 2.1 and are described below. It is recommended that 
Authorities consider establishing the following organisation to secure compliance 
with the Act:- 


a Data Protection Steering Group 

This should be a multi-disciplinary group representative of the key disciplines 
concerned with the Authority's data holding and it should be set up at the highest 
level so that it has the authority to implement its decisions. The Steering Group 
should be responsible to the Authority for the formulation and implementation of 
measures necessary to ensure compliance with the Data Protection Act 1984. 


There are sound arguments against an unnecessary proliferation of committees but 
there are some items in the area of Data Protection and Confidentiality where a 
broad judgement has to be taken on behalf of the Authority taking into account the 
views of a variety of different professions. Such judgements are better taken in the 


type of committee described. 
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Where possible the detailed measures for implementation can be assigned to the 
judgement of a suitable individual but in this case the individual's judgements must 
be properly supported by the senior officers of the Authority, otherwise action will 
have to await some informal agreement on action which will be more 
time-consuming and inefficient than using the committee in the-first place. 


b Co-ordinating Data Protection 

The implementation of the plans depends on the assignment of individuals to handle 
the Data Protection Co-ordinating function and to assist the Steering Group with 
the considerable work-load of ensuring compliance with the Act. Each Authority 
should assign someone to act as the senior Data Protection Co-ordinator to be 
responsible to the Steering Group for compliance with the Data Protection Act 1984 
within the Authority. 


Although the initial registration has been carried out within many Authorities 
without the appointment of additional full-time staff, it must be expected that few 
Authorities are likely to be able to discharge their responsibilities under the Data 
Protection Act 1984 without assigning a staff resource of at least 1 wte specifically 
to the function of handling Data Protection and other related issues. An outline of 
the main Data Protection Co-ordinating functions is included in Appendix 1. The 
references below to the Data Protection Co-ordinator refer to whatever local 
arrangements have been assigned for the purpose of handling these functions. 


The Data Protection Co-ordinator must ensure that all registerable data usage 
within the Authority's jurisdiction is covered by appropriate registrations on the 
Data Protection Register. He , or she, will be responsible for ensuring compliance 
with the Eight Data Protection Principles throughout the Authority, for giving 
advice to those responsible for individual computing systems and for establishing 
appropriate training facilities for the various groups of staff involved in some 
aspect of the implementation of the Act within the Authority. He will be responsible 
for all aspects of data security including the physical security of equipment and the 
disposal of output from computer systems [print-out and microfiche]. He will, also, 
be responsible for developing a suitable Code of Practice for those using and issuing 
Personal Data. He will receive, monitor and log applications for Subject Access 
referring to the appropriate Data Custodians for the relevant information. He will 
liaise with Data Custodians for relevant information, agree procedures for the 
release of information to Data Subjects and consult in cases of difficulty. Under the 
Data Protection Act 1984 all access to Personal Information must be treated as 
strictly confidential and no unauthorised disclosure must be allowed. 


3 Chapter 2 NHS Data Protection Handbook [version 3.0] May 29, 1987 


In view of the substantial amount of work involved in conducting and maintaining a 
survey of the Authority's computer equipment and systems, ascertaining the details 
of the Authority's data usage, interviewing those using Personal Data, establishing 
and maintaining staff awareness of Data Protection issues, compiling and 
maintaining the Authority's registrations, and carrying out appropriate 
departmental checks to maintain compliance, it may in some cases be appropriate to 
designate additional "sector" or "unit" Data Protection Co-ordinators. These will 
take the responsibility of compliance in geographic or administrative units. There 
may also be a need for administrative and clerical staff to assist the Data Protection 
Co-ordinators discharge their responsibilities. 


c Heads of Departments 

Since no Data Protection Co-ordinator can maintain control of all the dispersed 
systems operated on behalf of even a small Authority, it is essential that 
administrative control should be effected by Heads of Departments, in conjunction 
with individuals designated as Data Custodians, who can ensure that the policies of 
the Authority are properly implemented in respect of Data Protection. 


The Heads of Departments are responsible for their department's computer systems, 
data usage, disclosures of Personal Information and systems security. They must 
ensure that the Eight Data Protection Principles are fully implemented and observed 
and that all uses of the systems under their control comply with:- 


1 The Authority's registration under the Data Protection Act 1984 

2 Authorisations agreed with the Authority's Data Protection Co-ordinator 
3 The Authority's Policies and Code of Practice on Data Protection 
4 


The departmental User Guide [compiled by the Data Custodian and agreed 
with the Data Protection Co-ordinator] 


In some cases it will be appropriate for the Head of Department to handle all these 
duties personally and in these cases he will normally be designated as the Data 
Custodian for the Department. However, this will not generally be possible where 
the data holding is extensive or where he, or she, carries a substantial departmental 
workload. In such situations it would be normal for the Head of Department to 
specify the basic requirements, take decisions on non-routine releases of 
information and have the support of one or more Data Custodians responsible for 
handling the day by day supervision of the systems concerned [see d]. No precise 
specification of the division of responsibilities is appropriate because this will 
depend on local circumstances but, however things are arranged, it is the 
responsibility of the Head of Department to ensure that he has a sufficient 
understanding of the Data Protection Act 1984 and to see that all the relevant duties 
are discharged, either personally or by delegation. Each computer system must be 
controlled by a specified individual who carries the responsibility for ensuring that 
all the agreed tasks are carried out. 
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d Data Custodian 

A Data Custodian is a designated member of staff responsible to their Head of 
Department for some specified part of the Authority's data holding and usage. 
These are not new staff appointments but extra duties for Data Protection are 
assigned to existing staff already carrying out system management functions in 
respect of the department's computer systems. Typically these staff are those 
already responsible for the routine management of particular systems. Their main 
Data Protection activity will be to control the functioning of these computer systems 
within the policies laid down by the Head of Departmment in conjunction with the 
Data Protection Co-ordinator. Normally they will be knowledgeable about the 
operation of their systems as well as about the data held in the systems. In the case of 
systems containing primarily Personal Health Data it would be normal for the Data 
Custodian to be an appropriate Health Professional. 


Data Custodians are responsible for ensuring that the Eight Data Protection 
Principles are fully implemented and observed and that all uses of the systems under 
their control comply with:- 


1 The Authority's registration under the Data Protection Act 1984 
2 Authorisations agreed with the Authority's Data Protection Co-ordinator 
3. The Authority's Policies and Code of Practice on Data Protection 


4 The departmental User Guide [compiled by the Data Custodian and agreed 
with the Data Protection Co-ordinator] 


The Data Custodians will normally handle most of the routine liaison between the 
Data Protection Co-ordinator and the department concerned, they will take the lead 
in preparing the departmental User Manual and be primarily responsible for 
assigning passwords for access to the stsrems and handling the security procedures. 


e Authorised User 

An Authorised User is someone who has been trained and is listed as Authorised to 
use the Data System on behalf of his or her Authority, within the requirements of 
the Data Protection Act 1984, within the current registrations listed by the 
Authority in the Data Protection Register and within the Authority's Code of 
Practice on Data Protection. In using the computer systems, the individual 
operates, for Data Protection purposes, under the control of the authorising Data 
Custodian. 


Word Processing and Electronic Mail systems normally require registration but the 
Authorised Users of such systems do not require the same degree of training and 
knowledge of the Act. They can be described as Word Processing/Electronic Mail 
System Users 
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Following the terminology logically, an Authorised System is a system that has 
been agreed by the Data Protection Co-ordinator as either covered by one or more 
of the Authority's registrations, provided that it is used within the purposes 
registered and other terms of the registration, or exempt, provided that system is 
operated so that it continues to fulfill the conditions of the exemption. . 


f Region-wide Liaison in Data Protection 

In order to assist in securing Region-wide compliance with the Data Protection Act 
1984 in England. It may be helpful to assign to an individual the task of monitoring 
all aspects of Data Protection throughout the Region and liaising with the District 
Data Protection Co-ordinators, Data Custodians and General Managers where 
necessary in order to secure compliance with the Act and to simplify procedures to 
provide more cost-effective compliance. It will, also, be necessary to maintain 
contact with the Centre for Information Technology and Data Protection 
Registrar's Office and keep abreast of developments in the field of Data Protection 
both from the practical point of view and from the developing legal situation. 


An individual with such monitoring and liaison responsibilities might be designated 
as the Regional Data Protection Officer. Such an individual would be closely 
involved with the implementation of the Act within the Region. Depending on 
circumstances, the Data Protection Officer may handle the Data Protection 
Co-ordinating function as well, or may be supported by a Regional Data Protection 
Co-ordinator according to the volume of work to be handled and the degree of 
monitoring of District Data Protection activity to be carried out. 


g Staffing Generally 

A substantial administrative superstructure must be erected, made to function and 
kept in working order. All the evidence so far indicates that Authorities have 
under-estimated the work involved in implementing the Act and that the manpower 
so far deployed is certainly insufficient to achieve compliance initially, insufficient 
to maintain system security and compliance even if it had been achieved initially and 
certainly insufficient to handle the likely load of Subject Access requests within the 
timescale allowed by the Act. 


An outline of the various functions to be carried out is given in Appendix 1. The 
size and complexity of the management task of ensuring that an NHS Authority 
complies with the Data Protection Act 1984 varies according to its size, its 
geographical spread, its organisational complexity and its degree of 
computerisation. The scheme described above is suitable for most Health 
Authorities but there is considerable scope for altering the balance of work and 
responsibility between committees and individuals but all the responsibilities must 
lie somewhere specific and the allocation of tasks must be recorded. 
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Until the Act has been fully operational for a period, it is impossible to be sure of 
the amount of work required to ensure compliance with the Act and sufficiently 
rapid responses to Subject Access requests. It is unlikely that these functions can be 
discharged satisfactorily with less staff resource than 1 wte assigned to Data 
Protection Co-ordinator tasks for each Authority and more support may be 
required. The individuals involved should, if possible, be part of the growing 
group of Information Specialists so that career development and any redeployment 
of surplus time can be utilised in this broad area of activity. 


7 Chapter 2 NHS Data Protection Handbook {version 3.0] May 29, 1987 


2.3 The Data Protection Steering Group 

Decisions on Data Protection issues vary from the small and insignificant to matters 
of considerable substance that will interfere with established patterns of working. 
Even though it is possible for a single individual to take decisions, it is more 
cost-effective for important matters to be thrashed out once and decided definitively 
as Authority policy in some multi-disciplinary forum representing all relevant 
disciplines at a senior level rather than have repeated and often inconclusive 
individual discussions at a lower levels. 


The key functions of the Steering Group:- 


a Set up and oversee the Authority's administrative arrangements for 
implementing the Data Protection Act 1984 and for ensuring subsequent compliance 
with the Act 


b Ensure that the Authority, as Data User, complies with the requirements of the 
Act and in particular ensures that its data usage complies with the Eight Data 
Protection Principles 


c Ensure the Authority, where providing Computer Bureau services, complies 
with the Eighth Data Protection Principle concerned with data security, integrity, 
and the disclosure of Personal Data, even when providing Computer Bureau 
services for associated Health Authorities 


d Initiate and maintain a complete record of the Authority's computing systems, 
computer usage and other equipment that might lead to the holding of Personal Data 
and data usage 


e Register the Authority's Data Holding, authorise systems covered by these 
registrations and ensure that the authorised systems are used within these 
registrations 


f Ensure that no new systems are purchased or brought into use without being 
authorised as being covered by the Authority's registration under the Act, as having 
adequate security features and having established appropriate arrangements for 
compliance with the Data Protection Principle 


g Where staff have access to sensitive Personal Information, arrangements 
should be made to ensure that such staff are trustworthy 


h___ Ensure that appropriate measures are taken to train staff using computer 
systems, or handling Personal Information, in the correct method of operation of 
the computing equipment, the requirements of the Data Protection Act 1984 and in 
the requirements of the Authority to secure compliance with the Act 
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i Ensure that proper written procedures are developed covering the Authority's 
general Data Protection Policies, the Code of Practice governing the Authority's 
detailed requirements for handling Data Protection matters and the specific User 
Manuals concerned with the particular requirements of a specific system or 
department 


j _ Ensure proper staff and Member awareness of the implications of the Act 


k Ensure that suitable contractual arrangements reflecting the Authority's 
procedures for compliance with the Act are made with temporary and permanent 
staff, consultants and advisors, suppliers [particularly suppliers of computing 
equipment, software and maintenance services], associated Health Authorities and 
non-NHS bodies such as University Authorities, Local Authorities, Public Health 
Laboratory Services, Charitable Foundations using Authority premises, equipment 
or Personal Data. Particular care should be taken with those using home computers 
on the Authority's behalf 


1 Ensure that the Authority's professional computing staff do not have 
unnecessary access or unauthorised access to Personal Information held by the 
Authority 


m Ensure that there are simple and clearly defined arrangements by which 
Authorised Users can satisfy themselves about the method of operating their 
systems, the constraints imposed by the Authority's current registrations and 
procedures and any matters relating to confidentiality or the disclosure of Personal 
Information 


no Ensure that appropriate Data Protection Compliance checks are instituted on 
all the Authority's systems and data usage to ensure compliance with the Act 


o Ensure that appropriate Subject Access procedures are developed that enable 
the Authority efficiently to comply with the requirements of the Act 


p __ Report to the Authority at agreed intervals on the discharge of the Authority's 
responsibilities under the Act 


The most efficient use of the Data Protection Steering Group will be achieved when 
it takes the key policy decisions, oversees the development of the Data Protection 
Policy, Code of Practice and monitors the performance of the detailed work by the 
Data Protection staff. 
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2.4 Staff Awareness and Training Programmes 


a Training 

There are a variety of tasks to be undertaken to enable the Authority to comply with 
the Data Protection Act 1984 and these various tasks have to. be phased in 
conjunction with the development of the technical activities. There are a variety of 
interacting facets of the total training package that must be organised to re-inforce 
each other varying from the advisory staff notices and warning labels to the clearly 
contractual conditions in staff, contractors/consultants or suppliers contracts. The 
written material in the form of Authority Policies, Code of Practice and 
Departmental User Manuals must support the messages given by the training 
courses. The actual training cannot, of course, be given on material that has not been 
previously thought through and written down nor can staff, or other Authorised 
Users of the Authority's systems, be expected to observe procedures that have not 
been adequately explained to them and detailed in Policies, in a Data Protection 
Code of Practice or in their User Manuals. The training must be extended to cover 
all those involved in using the Authority's Personal Data whether 
permanent staff, temporary staff, Members, advisers, contractors/consultants, 
ambulance liaison officers, voluntary workers, medical students and staff of 
associated Health Authorities and bodies such as Local Authorities, Universities etc. 


The basic training modules needed are as follows:- 
1 General Staff Awareness of the Act 
2 Specific Training for Heads of Departments and Data Custodians 
3 Specific Training for Authorised Users of specific systems 


In each case the basic material can be built up from the very helpful NHS Training 
Authority/NCC Data Protection Act Resource Pack which provides overhead 
projector transparencies suitable for explaining the arrangements established under 
the Act. In addition, Video Arts Ltd have provided two helpful video tapes which 
introduce the Act and the approach to registration in an easily assimilated fashion 
[see Appendix 6]. The bias and length of each training module will depend on the 
number and seniority of the audience, and the degree of detailed knowledge and 
activity required of them. An hour's lecture will be sufficient to outline the Act at a 
very general level but any detailed work is more likely to require a half day or a 
whole day session. Induction courses for staff should routinely include a short 
outline of the Act's requirements. As with initial registration it is likely that the 
approach to Subject Access under the Act [on 11 November 1987] will require 
special sessions for Heads of Departments and Data Custodians to set up the 
necessary arrangements for acquiring the relevant Personal Information 
sufficiently rapidly for the Authority to comply with the time requirments of the 
Act. 
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b Letters, Notices and Labels 

A wide variety of means may be adopted to ensure that staff are aware of their 
responsibilities under the Act and the circumstances in which they may be held 
personally liable for a breach of the Act. The degree to which the various 
approaches are used in any particular Authority is a matter for discussion but in 
general all avenues for making staff aware of the implications of the Act are worth 
exploiting until the standard warnings and advice become part of the organisational 
culture. Briefly, no-one should be able to use the Authority's computing facilities 
or Personal Information from the Authority's data holding without becoming aware 
of the existence of the Data Protection Act 1984, the Authority's measures to ensure 
compliance with the Act and its registration under the Act. 


Staff advisory letters, such as the one shown in Annexe 2.1 at the end of the chapter, 
are a simple means of ensuring that each member of staff is contacted. They can 
conveniently be included with the staff pay packets in the same way that many 
financial matters are drawn to the attention of staff. In order to use this channel of 
communication it will be necessary to make arrangements with the Treasurer as 
such a communication will be an unusual non-financial use of the pay packet. This 
approach is not a ineans of avoiding the usual administrative channels, which must 
also be employed by providing briefings for Heads of Departments so that they can 
inform their staff, but rather it is a complementary approach which attempts to 
reduce the chance of areas of ignorance where the management's message fails to 
penetrate the clutter of important operational information. 


A variety of Data Protection stickers is available to bring the need for careful 
handling of Personal Information to the attention of staff. These can be used in 
conjunction with larger posters prominently displayed and notices on departmental 
noticeboards giving rather more detailed advice. 


Labelling of equipment [using cheap "Able Labels", Steepleprint Ltd, Earl's Barton, 
Northampton, NN6 OLS)] provides a very easy way of reminding Authorised Users 
of the conditions which the Authority is placing on their use of the equipment as 
well as providing a convenient non-threatening reason for inspecting all equipment 
currently being used on behalf of the Authority. This process may, also, be usefully 
extended to include the creation of a complete list of the Authority's computing 
equipment using numbered aluminum labels of the type used for recording 
company assets. The Data Protection Co-ordinator then has the opportunity of 
recording the serial numbers of all equipment in an Equipment Register. 


A similar approach can be adopted with computer output advising the reader that 
the information includes Personal Data which must be treated confidentially as 
required by the Data Protection Act. This can be achieved in three ways according 
to the circumstances:- 
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a Small volume output can have appropriate labels stuck at the top of the 
print-out manually 


b Large volume output can have a programmed title indicating 
the sensitive nature of the output 


c Computer output could utilise paper routinely which has a suitable 
warning about the Data Protection Act 1984 and the consequences of 
unauthorised disclosure of Personal Information 


There are arguments about the degree to which such warnings might alert 
individuals to the possible existence of Personal Data which they might mis-use and 
of which they might have otherwise remained ignorant. However, it should not be 
possible for individuals to come into possession of Personal Data without having 
been advised of the requirements of confidentiality demanded by the Authority and 
by the Data Protection Act 1984. 


Very sensitive information must be handled with great care. It shou!d not be 
printed unless such printouts are essential for the purposes of the system as the 
security precautions required for the handling of such material are very stringent 
and cumbersome. The use of numbered copies printed on paper that is difficult to 
copy, or that clearly reveals the fact of unauthorised copying, is the sort of 
cumbersome measure required to handle such information. These requirements 
verge on the steps needed for handling low-grade information relating to national 
security. 


ce Clauses in Staff, Contractor and Supplier Contracts 

A considerable amount of time has been spent discussing the relative merits of 
including particular clauses in contracts and whether they should make specific 
reference to the Data Protection Act 1984. The best advice that can be obtained at 
present is that the positive approach is a desirable one. The Data Protection Act 
1984 makes rather special demands that have not yet become part of the 
organisational culture of the NHS. Any member of staff may be held personally 
liable for an act carried out in the course of his, or her, normal duties and it is 
difficult to see serious arguments against including a Data Protection clause in staff 
contracts. However, the fundamental requirement is that the Authority should be 
able to prove in a court of law that it had:- 


1 consciously adopted appropriate policies to comply with the Act 


2 set up the necessary measures or systems required to secure that 
compliance 


3 ensured that all staff understood what was required of them (according 
to the various responsibilities carried) 
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4 monitored the performance of the various measures or systems in 
securing compliance 


5 checked compliance at departmental level 


6 maintained staff awareness and training to ensure continuing 
compliance ; 


These requirements can be achieved in a variety of ways. If no clauses are included 
in contracts then alternative but equally effective steps are required. When an 
individual is listed as an Authorised User of a system it would be good practice to 
ensure that he, or she, is provided with an appropriate information pack governing 
the usage of the system [a User Manual], the Authority's Policies and Code of 
Practices concerned with Confidentiality and Data Protection and the Data 
Protection registrations for the system in question. It would also be good practice to 
ask that he, or she, should sign that the material had been read, and understood after 
the opportunity had been given for resolving any questions that might have 
occurred during the reading. Suitable forms for signing have been included for 
Authorised Users and Word Processing & Electronic Mail System Users as Annexes 
3.1 and 3.2. 


Suitable clauses for inclusion in contracts are given at the end of the chapter as 
follows:- 


Annexe 2.2 General Staff Clause 
Annexe 2.3. General Contractor Clause 


Annexe 2.4 Clause for the Suppliers of Computer Hardware, Software and 
Maintenance Services 


Clearly, new contracts can readily have these clauses incorporated within them but 
each Authority must judge whether a total re-issue of staff contracts is warranted, 
whether staff should be advised that their contract is deemed to include the relevant 
clauses, and whether staff should be asked to sign that they have understood the 
requirements expected of them and understood how appropriate levels of 
compliance are to be achieved. Where particular responsibilities are to be 
discharged by individuals then these requirements should be properly agreed with 
them and where possible incorporated within their Job Descriptions. Appendix 1 
outlines some of the key functions to be discharged. 
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2.5 Survey of Systems and Personal Data Usage 
Before registration of the Authority's data usage is possible it is necessary to carry 
out a survey of systems and data usage throughout the Authority. This is most 
satisfactorily achieved by conducting a postal census of equipment using the formal 
management structure of the organisation and then following this with detailed 
interviews with the individuals revealed by the census as handling registerable 
Personal Data. The census must be effective in covering all the computer systems 
either owned or operated by or for the Authority. This includes mainframe 
computers, minicomputers, microcomputers, word processing equipment. Even 
some equipment like telephone logging systems, door entry control systems, 
computer controlled microfilm viewers and advanced analytical or imaging 
equipment can be controlled by the Data Protection Act 1984 although it does not 
appear to qualify at first sight. This survey, certainly, must include all home 
computers used for the Authority's business. 


It can readily be carried out with a questionnaire circulated through departmental 
heads and medical and dental consultant staff. Undoubtedly, the response will be 
patchy and the results incomplete but the census has the merit of concentrating on 
the concrete issue of physical equipment rather than the rather more abstract 
concepts of data usage which can be more readily handled in the follow-up 
interviews. It is a matter for debate as to how much information can usefully be 
secured on a questionnaire and how much is better left for subsequent discussion. 
The necessary end-point must be the completion of a draft DPR1 Part B form which 


lists:- 
a Purposes for which the system is used 
b Types of individuals on whom Personal Data is held [Data Subjects] 
c Classes of Personal Data held on the system 
d Sources of Personal Data held on the system 
e Disclosures made of the Personal Data held on the system 
f Overseas transfers of Personal Data in computer readable form 


However, most of these questions will not be understood by anyone unfamiliar with 
the Act and hence at this census stage the main thrust of the enquiry should be 
directed at securing information about computer equipment first rather than 
worrying too much about the refinements concerned with the details of data usage. 
A suitable form for running such a survey is given as Annexe 2.5. It can form the 
basis of the Authority's equipment register and maintenance arrangements. The 
main doubt about the census centres around its completeness and hence it is 
necessary to make as many cross-checks as possible to secure completeness, eg:- 
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1 Carry out checks with medical ethical committees about approved 
research projects 

2 Ask departmental managers to certify that the systems recorded for 
their department constitute the full list of equipment used by their staff 
or their department. 
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2.6 Equipment Census 

The census, using a form similar to that in Annexe 2.5, which comes from standard 
spreadsheet software, provides the starting point for the investigation of the 
Authority's data usage and it enables the following matters to be addressed:- 


a Register of Equipment 

The census provides the basic material for creating the Authority's Register of 
Equipment which records the existence, location, ownership and serial 
number of the equipment used by or for the Authority. This should include all 
computers, computer terminals and output devices (including word 
processors and electronic typewriters with long term storage capacity as well 
as the specialist equipment noted in section 2.5) from which information may 
be accessed, manipulated or output. How much additional detail is also 
recorded depends on any other uses of the register but it could be used as a 
basis for handling maintenance records and Authority assets. As mentioned 
above the use of numbered aluminum company asset labels will help to keep 
track of the large amount of equipment used by most Health Authorities. Some 
fully integrated microfilm systems are controlled by the Act and must be 
included in the Equipment Register [see Section 2.8.i and Registrar's 
Guideline No 2 pp 32-33]. 


b Appointment of Data Custodians 

Although it will not be possible to make final decisions on the detailed 
responsibility for the equipment until the follow-up interviews have been held 
the census form should allow for the provisional allocation of the 
responsibilities of Data Custodian for the equipment. Even where no Personal 
Data is being processed, a Data Custodian will be required simply to 
ensure that things stay that way. 


c Outline of Information Held and Purposes 

Detailed information will not be readily obtained at this stage but an outline of 
the information and its uses should be sought. In the case of simple systems a 
printout of the basic computer record provides a good starting point. 
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2.7 Data Usage Interviews 

These interviews will be a continuing requirement of the process of ensuring 
compliance with the Act, developing from an initial exploratory discussion to 
elaborate on the information obtained from the Census through a detailed 
examination of data usage sufficient to establish the registration requirements into a 
systems security review and finally into a full Data Protection Compliance Check. 
The process is a complex one and it is foolish to pretend that all the ramifications of 
the Act can be settled quickly in a single discussion. As more of the Code of Practice 
becomes more fully developed there will be less need for detailed discussion because 
the detailed requirements will be more clearly established and this will enable 
matters to be dealt with more expeditiously. The key matters to be established 
during the Data Usage Interviews are as follows:- 


a Equipment 

The entries in the equipment register [Annexe 2.5] should be verified as complete 
and the administrative and geographical boundaries of the section should be checked 
to ensure that there are no isolated of outposted parts of the section that have not 
been included in the register. This can conveniently be confirmed by labelling the 
equipment with a warning label advising that 


PERSONAL INFORMATION 


MUST ONLY BE PROCESSED AND DISCLOSED IN ACCORDANCE WITH 


The Data Protection Act 1984 
Health Authority Registration 
Health Authority Policies 


in addition the numbered property stickers can be attached and the serial numbers of 
the equipment recorded. 


b ‘Purposes of the Data Usage (DPRI Form B section B1) 

The Registrar has developed a series of codes for registration purposes and they 
provide the easiest starting point to the discussion. The codes are listed in his 
booklet entitled "Notes to help you apply for Registration". Each system must be 
explored in order to identify the most appropriate purpose or purposes for which it 
is used. Each purpose is considered to include the sub-purpose "analysis for 
management purposes and statutory returns", so that it is unnecessary to specify 
Research and Statistical Analysis [P016] in association with each purpose. This is 
only required where this is the fundamental purpose of the data usage. The 
purpose(s) finally selected as appropriate should "most closely describe your use of 
Personal Data". It is not necessary to list all of the standard purposes that might 
apply to the data usage but all actual, or proposed, uses must be clearly covered by 
the purpose(s) selected. 


17 Chapter2 NHS Data Protection Handbook [version 3.0] May 29, 1987 


A single computer system may require several DPR1 Part B forms to be completed 
as only one purpose may be entered on each Part B form. Similarly, it will be noted 
later, that a single Part B form may cover the registration of several different 
computer systems; it is data usage not computer systems that is registered. 


It is not possible to list all the codes that may be needed to record NHS activity but 
the following are the most important codes used in health care:- 


P062 Provision of Health Care* 
P063 Ambulance Services 

P064 Blood Transfusion Services 
P065 Occupational Health Services 
P066 Public Health 

P067 Health Care Administration 


The most important other codes used in the Health Services are:- 


POO] Personnel/Employee Administration 
P002 Work Planning and Management 

P008 Purchase/Supplier Administration 

P012 Ancilliary and Support Functions* 

P013 Customer/Client Administration 

P014 Lending and Hire Services Administration 
P016 Research and Statistical Analysis* 

P017 Information and Data Bank Administration 
P020 Property Management 

P022 Education or Training Administration 


Where the Registrar has marked a purpose with an asterisk (*), it is mandatory to 
provide some additional information on the registration form to categorise the 
details of the activity. 


c Data Subjects (section B2) 

The next part of the form relates to those on whom Personal Data are kept. Again 
the Registrar has categorised the groups of individuals who might be involved and it 
is necessary to list one or more groups of individuals [in this case it is possible to 
record more than one group of Data Subjects on a single form] whose information 
is kept in the system and from which Personal Information may be processed by 
reference to Data Subject. The incidental recording of an individuals name, number 
or password is not conclusive evidence that they are a Data Subject in the system 
although it is good initial evidence. The information about a Data Subject must be 
retrievable, or intended to be retrieved, in some direct fashion. Futhermore, Data 
Subjects can only be living individuals not companies or other legal "persons". 
Thus, suppliers are not generally covered but a single person trader or consultant 
would be covered. The form also requires that the status of the individuals should 
also be specified as "current", "past" or "potential" this of course depends on the 
purposes of the systems and the practice of the users. 
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d Data Classes (section B2) 

The information held on the Data Subjects must next be identified, again using the 
Registrar's coding scheme. This calls for some care in interpreting the Data Classes 
in a uniform manner. If there are none of the usual identifying information 
[C001-C003] and there are no local codes from which the individual can be 
identified by the Authority, then the Authority does not hold any Personal Data that 
needs registration. It should be noted that as the Authority is being registered as the 
Data User, the test is not whether an individual member of a staff could identify an 
individual but whether anyone anywhere within the Authority has the information 
whereby such an individual could be identified. 


e Data Sources and Disclosures (section B3)] 
This sources and disclosures of information on the Data Subject(s) are categorised 
on the Registrar's DPR1 Form B into three groups as follows:- 

1 Data Subjects and Associates 

2 Data User and Associates 

3 General Description of organisations or Individuals 
It will generally be easy to ascertain where the information comes from, even 
though there will sometimes be several sources for particular data items according 


to circumstances. However, the disclosures present much greater problems 
because it is necessary to record all possible disclosures that may reasonably need to 


be made in the course of operating the computer system for the purpose(s) 


specified. If no disclosure has been identified then such a disclosure will not be 
allowed after the registration has come into force unless it is covered by a specific 
exemption under the Act. Thus for instance, where DHSS auditors are used they 
would be covered by the disclosure recorded on the financial registrations to DHSS 
but if an external firm of auditors were ever to be employed it would be important 
to have recorded a disclosure for "Accountants and Auditors D366" otherwise any 
disclosure would have to be confined strictly to that which would be covered by a 
specific exemption most of which are very tightly drawn and often fall short of all 
the information that might normally be expected. Again, the general principle is 
that if something has not been registered, it cannot be done is a good general guide 
for someone trying to obtain the basic data for registration. 


f Overseas Transfers (section B4) 

Information is required about Overseas Transfers of Personal Data [ie transfers 
outside the United Kingdom] which take place in computer-readable form not 
simply the disclosure of information in printed or verbal form to overseas 
organisations or individuals, which is dealt with in section B3. Overseas Transfers 
typically take place via computer-to-computer communications or the transfer of 
storage media such as magnetic tapes or discs. 
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Personal Data which had been output to paper or optical film with the intention of 
being read by some optical character reader overseas would need to be included. 
The definition of "Overseas" is wider than would normally be realised; the United 
Kingdom includes England, Scotland, Wales and Northern Ireland but it excludes 
the Channel Islands and the Isle of Man and, as might have been more easily 
anticipated, the European Community. The use of a Computer Bureau which used 
overseas computing power would, of course, qualify as a transfer. 


g Compliance with the Data Protection Principles and Systems 
Security 

The mass of information to be elucidated as outlined above precludes any serious 
attempt to carry out a very extensive examination of the various systems compliance 
with all aspects of the Data Protection Principles or with the requirements of 
systems security. These are important issues but they cannot be dealt with cursorily 
at the end of a long interview. However, a start should be made in the interview so 
that the systems managers begin to understand the nature of the questions that will 
have to dealt with. Technically, security is part of the the review of the Data 
Protection Principles [the Eighth Principle] but it involves quite distinct questions 
and is conveniently handled separately and specifically. 


The interview should include a discussion of the Data Protection Principles and 
their implications but without going into too much detail but rather signalling 
particular issues for future examination. Similar attention should be paid to the 
Eighth Principle concerned with Data Security. The obvious questions about 
physical security, access control, data control, security procedures, accuracy of 
data, printing and batch processing controls all need examination. The handling of 
passwords, the security of printouts and microfiche, the treatment of confidential 
waste all give clues to the adequacy of the security procedures currently operating 
which must be followed up later. 


h Other Data Usage 

The availability of equipment provides a guide to the department's data usage but it 
is important to check whether the department has any other usage of computer 
systems, including home computers with all their associated security problems, 
computer generated Personal Information in the form of printouts or microfiche 
from other Authority systems or non-Authority systems. Such data usage might 
involve additional purposes or disclosures which had not been revealed by 
discussions with other departments. 
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2.8 Examination of Exemptions 

Following the interviews, the basic material for registration has been obtained 
although compliance with the Act cannot yet be claimed. The next steps involve the 
identification of any relevant exemptions, the organisation of the basic registration 
material into a suitable form for registration and the registration of the Data User. 


There are only rare instances in which systems containing Personal Data held by the 
Authority are exempt from registration. The Registrar has issued detailed guidance 
on the interpretation of the exemptions in Guideline 6 "The Exemptions" but the 
following section deals with a few areas of doubt and misconception:- 


a Home Computers 

The exemption for an individual holding Personal Data "concerned only with the 
management of his personal, family or household affairs or held by him for 
recreational purposes" was listed in section 1.7 [Section 33(1) of the Act]. The 
Registrar's advice [Guideline 6 pp7-8] is that 


"The exemption is only available if the Personal data is held by the individual. It 
cannot therefore apply to Personal Data held by a company, club or other 
organisation.....It does not apply to individuals who hold Personal Data for business 
or professional purposes." 


If the work carried out is for and with the approval of the Health Authority, the 
Authority can be considered to be in control of the data and can be registered as the 
Data User. This might not even require additional registration forms if it simply 
involves doing at home the same activities as are carried out at work. However, 
irrespective of the size and location of the computer it is necessary to protect the 
Personal Data held by looking into both the physical and the data security of the 
system. The measures taken to protect the data depend on the degree of sensitivity 
of the Personal Data held but they must be sufficient to prove that the Authority has 
taken such care as in all the circumstances was reasonably required to prevent the 
loss, destruction, disclosure of, or the unauthorised access to, the Personal Data. 


If there is any doubt about the issue of who "controls the content and use of the data" 
processed on the home computer, the Registrar suggests that "it would be sensible 
for the parties themselves to define, by clear contractual provision, in which of 
them the control is vested". Where the Personal Data relates to the private practice 
or other professional activities of a member of staff the individual must register as 
the Data User. 


Health Authorities should have an explicit and publicised policy on home computing 
and it should be noted that all uses of Health Authority Personal Data must be 
approved through the local mechanisms and be consistent with the Authority's Data 
Protection Policies, Code of Practice and registrations under the Act. 
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In some very clear ways the operating system software and security facilities 
currently available for microcomputers are inferior to those available on larger 
systems. This might properly lead an Authority to ensure that very sensitive 
Personal Data are not held in such an insecure environment without instituting 
considerable physical security measures. 


b Word Processing Systems 

Section 1 (8) of the Act provides that operations "performed only for the purposes 
of preparing the text of documents" are not "processing" operations within the 
scope of the Act and are hence not therefore registerable. If, however, the Personal 
Information is processed for purposes other than simple typewriter-like purposes 
[eg to inspect, sort analyse and select information] then the use of word processoring 
systems will be deemed to fall within the scope of the Act and the purposes will need 
to be registered. 


The intended use of string search facilities to find references to individuals is one 
example of a registerable use of a word processing system. More generally it 
should be realised how easily new registerable systems can be generated with 
modern Personal Computing facilities. Any spreadsheet system can be used to 
provide a simple and useful database comprising Name, Address, Telephone 
Number and this is registerable material even though this material can be found in 
non-computer form in diaries, on notice boards etc. More complex systems can be 
created with equal ease. The same information can, of course, be held using word 
processing software although this may not be so convenient 


It is recommended that Authorities should register their use of word processing 
systems for correspondence as a separate Register entry (DPR1 Part A form, 
together with associated Part B forms). The Data Subjects will normally be listed as 
"Correspondents and Enquirers S024 Current and Past". The Purpose will 
normally be "Ancilliary and Support Functions P012" and further specified as 
"Word Processing and Electronic Mail Services for the Authority". The Data 
Classes should be listed as "Personal Identifiers C001" and "Uncategorised 
Information C132" and appropriate disclosures should be listed to cover the use of 
the Authority's correspondence. This approach allows the Authority to build up 
electronic correspondence and report files and Subject Access presents no problems 
as the Data Subjects already receive the letter. However, steps must be taken to 
ensure that no other categories of Data Subject can emerge as a result of 
using string search facilities to find individual names, or their equivalent, or by 
searching the correspondence for Personal Information about a third party, such as 
a reference or curriculum vitae for a colleague or member of staff held in 
association with a letter to someone else. 


The advantage of registering such Word Processing (and Electronic Mail) Systems 
separately is that it separates out such systems from the mainstream information 
systems and allows both the Data Subject and the Data User to treat such systems 
separately. 
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Routine Subject Access requests for Personal Data from the mainstream computer 
systems will not be confused with a time consuming search amongst the myriad of 
word processing systems while a Data Subject wishing to obtain Personal Data from 
these systems will be able to specify this requirement precisely. 


The normal use of word processing systems to handle staff or colleague references 
definitely brings them within the scope of the Act, if the references are held on the 
system and edited for subsequent use. This very common procedure opens these 
references out to Subject Access, because they are referenced by respect to the 
person for whom the reference is given and who then becomes a Data Subject. 


The Authority may wish to operate a more open reference policy and in this case an 
additional Part B registration formshould be included under the purpose 
"Personnel/Employee Administration P001" listing employees both past and present 
as Data Subjects and with Data Classes appropriate to the range of information 
covered in the Authority's references [eg Personal Identifiers C001, Current 
Employment C061, Work Record C065, Work Assessment Details C071, Physical 
Health Record C111 (if included) and Uncategorised Information C132 --according 
to Authority policy]. Such information shpould normally be associated with the 
register entry {Part A form] for Staff Purposes rather than with the Word 
Processing & Electronic Mail Purposes despite the fact that the information is kept 
on a word processing system. Great care is required to index these references and 
to include them in the Subject Access searches. 


If, however, such references, or any other Personal Data are to remain securely 
outside the scope of the Subject Access provisions of the Act, the following steps 
must be taken:- 


1 The reference may only be edited until it is finalised for its 
current purpose, once finalised it may be printed again but it must not be 
re-edited for later use 


2 It must not be searched for any specific word or name in the 
text [other than a correspondent already registered as a Data Subject but who is 
not the subject of the reference] 


3 Several copies of the printed reference may be stored in a manual file 
for subsequent manual editing, and possibly re-input to the word processor, 
but the electronic copy of the reference must be erased from the word 
processor storage media as soon as the letter and the reference has been posted 


4 In order to demonstrate compliance with the exemption from the 
Act, it is desirable to categorise the work on the word processor and 
establish well-defined life cycles for each category of work such as 
correspondence, committee minutes, reports and papers. 
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In addition to references, word processing systems may be handling registerable 
Personal Data where an individual's curriculum vitae are held in a departmental 
grouping [ie not simply by the person themselves] or where references in scientific 
papers [which includes living authors] are held in a fashion that allows searching for 
particular authors’ papers. Where any other categories of Data Subject are allowed 
to emerge, they must be included in the registration forms and provision must be 
made for Subject Access. Such additional data usage may require additional DPR1 
Part B forms to cover the additional purposes not simply an addition to an existing 
form. 


ec Electronic Mail Systems 

Electronic Mail systems exhibit many of the features of word processing systems, 
their material is usually unstructured but, of course, it may be organised in a 
structured form. It may be used "only for the preparation of the text of documents" 
or it may be used to hold and process Personal Data. However, it does have an 
additional feature in that it will inevitably have some form of directory. 


This directory may be a local one controlled by the system user or it may be 
controlled by thr organisation controlling the Electronic Mail Service and, hence, 
the Data User, as regards the Personal Data in the directory, may be either be the 
individual user [or his Authority] or the organisation offering the service. 
Additionally, if the directory is only used "for the purpose....of distributing 
....information” and if it consists only of “names, addresses or other particulars 
necessary for effecting the distribution" then the Personal Data in the directory may 
be covered by the mailing list exemption [Handbook 1.8]. The Registrar's guidance 
is contained in Guideline 3 [pp25-27]. 


There may be cases where the system is used as a fully organised database with 
structured data like any other computing system but the most usual Data Classes will 
be "Uncategorised Information C132" together with "Personal Identifiers C001" 


d  Auto-analyser Systems and Other Computer-based Medical 
Equipment 

If in this context Personal Data is processed solely for the purpose of producing a 

letter, report or other document it will not need to be registered. However, the 

retention and processing of these Personal Data for further purposes will bring this 

processing within the scope of the Act. 


e Payroll Systems 

The payroll exemption [Section 32, Handbook 1.8)] is within the narrow confines of 
calculating and making payments of remuneration or pension. The connection 
between payroll and personnel systems nullifies any claim for exemption and thus it 
is highly unlikely that any NHS payroll system would be exempt. Furthermore, the 
specific restrictions listed on the permitted disclosures are far too narrow to be 
usable in any situation other than a very small payroll. Even a necessary disclosure 
to a service engineer required to rectify a fault results in the exemption being lost 
unless each individual Data Subject has consented [Guideline 6 pp10-15]. 

24 Chapter2 NHS Data Protection Handbook [version 3.0] May 29, 1987 


f Accounting and Supplies Systems 

It is the Registrar's view that exemptions contained in Section 32 of the Act are 
likely to apply only to small businesses since the more sophisticated use of data in 
larger organisations will not comply with the conditions of the exemption as to use 
and disclosure of data. 


It certainly would be possible to eliminate these systems from the purview of the Act 
by taking effective steps to ensure that no living individual can be identified within 
the system. This would involve identifying all single person traders or named 
consultants and excluding them from the general systems. The relevant Data 
Custodian could provide the Data Protection Co-ordinator with a certificate 
guaranteeing that such individuals had been excluded and would be excluded in 
future. 


The single person traders and consultants would then be handled separately by a 
small sub-system, which might even be exempt itself under these strict conditions. 
Much depends on local practice as sometimes parts of the supplies system are used 
for the payment of travelling expenses or small consultancy projects. However, the 
effort involved in ensuring that this segregation is achieved in practice may be 
more than the effort of handling the necessary searching and security required by 
the Act but the possibility of exempting most of the system from Subject Access 
enquiries might make this approach attractive. The alternative is to use a separate 
Register entry for such single person traders and consultants in the accounting 
systems, any Subject Access would then be directed to a known requirement rather 
than happening as an unwanted by-product of some other Subject Access search. 


g __ Research and Statistics 

Personal Data processed for purposes of Research and Statistics fall within the scope 
of the Act and are registerable. However, such data systems may be run in such a 
fashion that they are exempt from Subject Access [Handbook 1.9 & Guideline 6 
pp30-31}. These data must not be used or disclosed for any other purpose and the 
results must not identify any of the Data Subjects. Many research systems within the 
NHS find their way into patient care and hence it is important that this exemption 
should not be used where this is likely. 


In the case of this exemption it is the Registrar's view that it is possible for Personal 
Data to be disclosed to a system service engineer, where it is for maintenance and 
repair purposes and under a contractual agreement that precludes further 
disclosure, if it is necessary strictly for the continued safe operation of the system or 
the continued integrity of the data base. Where such Subject Access exemption is to 
be used it would be worth entering on the DPR 1 Part B form on page 5 that 


"The identity of individuals is not disclosed in the results of the research" 
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It should be noted that all of the Registrar's standard purposes are deemed to include 
typical activities such as the "analysis for management purposes and statutory 
returns" [Notes to help you apply for Registration p12] and in his note 3 relating to 
PO16 on Research and Statistical Analysis he underlines this as follows:- 


"Incidental analysis of information already held for another purpose, in direct 
support of that purpose, will be covered the appropriate purpose code. All 
purpose descriptions include the typical activity "analysis for management 
purposes" to cover this incidental function” 


If the research is dependent on the collection of data specifically for research it will 
be necessary to register it under the "Research and Statistical Analysis P016" 
purpose describing the general nature of the research or analysis under this purpose 
eg scientific, technical, health, social ecconomic or market research. Health 
research is described in Note 2 as including "epidemiological research, clinical 
trials, biomedical research, research into the prevention, prognosis, treatment of 
disease etc". If this code is used without the required additional information 
describing the area of research the form will not be treated as having been validly 
completed. 


h Mailing Lists 

Under Section 33 (2) of the Act Authorities may claim exemption for Personal Data 
needed for the sole purpose of "distributing or recording the distribution of articles 
or information" [Guideline 6 pp17-19]. This exemption is lost if other information 
is held apart from "names, addresses or other particulars necessary for effecting the 
distribution" - if for instance telephone numbers are included - or if the information 
is used for any other purpose. The Data Subject must have been asked whether he 
objects to his Personal Data being held and used in this fashion and must not have 


objected. 


Since records have a tendency to get lost, the easiest method of ensuring that all Data 
Subjects on exempt mailing lists have been asked is to include in the mailing at least 
once a year a clear indication of the procedure by which an individual can get 
himself, or herself, removed from the mailing list or have details about him, or 
herself, changed or corrected. With regard to the exemption for un-incorporated 
clubs, existing members would have to be asked to agree to the current uses 
[including agreement to any necessary disclosures required for system maintenance] 
and then appropriate rules would need to be adopted that include appropriate 
consents to the uses and disclosures decided upon by the club. 
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i Microfilm Systems 

Microfilm or microfiche output from computer systems, along with printed or 
graphical output, is of course subject to all the provisions of the Act regarding 
disclosure. No disclosure of Personal Information should be made unless it is for a 
purpose listed in a registration form and to an individual or organisation of a 
registered category or unless the disclosure is covered by one of the Non-Disclosure 
Exemptions. Beyond this, no disclosure should be made to anyone either inside or 
outside the Health Authority unless it is necessary for the legal and registered 
purpose of the Authority. 


In general, microfilm or microfiche copies of manual records are exempt from 
the Act.. However, some systems are fully integrated with the computer index 
facilities in such a way that the manual records on the microfilm system become 
subject to the Act, even though the records cannot be processed in a computing sense 
- information can certainly be extracted from such systems and this is included as 
processing within the meaning of the Act. This topic is explored in Guideline 2 
(pp32-33). The problems of handling Subject Access to old medical records held on 
such a sophisticated microfilm system have not yet been fully explored but they are 
likely to be considerable. 
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2.9 Approach to Registration 


a Who Registers? 

Any Data User or Computer Bureau must complete at least one of the DPR 1 Forms 
A [which are mainly concerned with addresses] and, in addition, Data Users must 
complete one or more Forms B [which are mainly concerned with Personal Data, 
its content, purposes, sources and disclosures] for applications to be included in the 
Data Protection Register. 


The Data User is the “legal person" controlling and using the Personal Data and in 
the NHS environment this will normally be the Health Authority [or statutory 
agency established by Act of Parliament in Scotland, Wales or Nothern Ireland.]. 
Community Health Council and general practitioners must register in their own 
right where they have registerable Personal Data. The key issue in deciding identity 
of the Data User is that of the "person" controlling the collection of Personal Data 
and entitled to take decisions about the data to be held and its usage. Individuals 
simply receiving information from a computer system do not thereby become Data 
Users as they are not normally in any controlling position in respect of the Personal 
Data held or of the uses to which it is put [see Guideline 2 pp20-31]. 


Where systems are run on a computer not under the direct control of the Authority 
but they retain the control of the data and its subsequent usage, the Authority must 
register as a Data User and the "person" controlling the Computer Bureau, whether 
the Regional Computer Bureau, a neighbouring District Authority or an outside 
Computer Bureau must also register as a Computer Bureau under the Act. 
Generally, it is wise for Health Authorities to register both as a Data User and as a 
Computer Bureau because it is so easy to find that arrangements have been made to 
provide another Data User with the use of Authority equipment or to run their 
programs in the event of the failure of their own equipment even where the 
Authority does not run a specific computer bureau in the normal sense. 
Registration in this fashion allows normal arrangements of this sort to be made 
legally provided that proper steps are taken to ensure that adequate security 
measures are taken to protect the Personal Data being processed and to prevent 
unauthorised disclosure of Personal Data . 


In the event of there being any doubt about who controls the content and usage of the 
Personal Data [and therefore who registers], this doubt should be resolved by 
discussion between the parties concerned and a written agreement obtained which:- 


1 identifies the systems in question by purpose(s) and locations, and 


2 specifies the respective roles of the parties to the agreement as 
regards the functions of Data User and Computer Bureau and both 
parties will appoint the necessary infra-structure to support their 
agreed activities. The Data User will normally require to appoint a Data 
Protection Co-ordinator and/or one or more Data Custodians who will 


authorise individuals to use the systems. 
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The need for written agreements is particularly acute in situations where Personal 
Data and possibly employees are shared by two or more Authorities. The situations 
where NHS Authorities are involved with Universities, Local Authorities, Public 
Health and Social Services, charitable foundations and the Medical Research Council 
need careful resolution. Generally, the Health Authority should undertake to 
register any systems which hold data used directly for the care and treatment of 
patients or for the administration of patient care. Research and educational 
information will normally be more suitably registered by the Medical College. 
There is no restriction in the Act against both parties registering but this should be 
avoided wherever possible. 


b When Does Registration Becomes Effective? 

In general, an application or amendment or withdrawal of registration becomes 
effective from the date on which it is posted by recorded delivery or registered post 
[or on the date on which the Registrar receives it, if it is delivered in any other way] 
unless the Data User or Computer Bureau has been refused registration during the 
previous two years or is the subject of a De-registration Notice [see Section 7 of the 
Act]. The procedure can thus be very fast and responsive to local needs unless there 
are unresolved and contentious matters outstanding with the Registrar. 


c What to Register? 

Subject to any exemptions which apply it is necessary to register details of all 
Personal Data [ie that relating to living individuals] processed, or intended to be 
processed, automatically with reference to the individual. The exemptions are 
discussed extensively above from the point of view of the NHS and it is clear that 
they are generally rather less relevant than might be thought at first sight. If there is 
any doubt about the ability of the Authority to comply with any of the relevant 
conditions regarding an exemption then the Authority should register as a matter of 
principle. An unnecessary registration can always be withdrawn but a missing 
registration could give rise to an Enforcement Notice from the Registrar, a court 
appearance for contravention of the Data Protection Act 1984 or an action for 
damages and associated distress. 


d © What Registration Format? 

In considering the registration format the Authority must balance the ease with 
which it can access data under the Subject Access provisions of the Act with the 
convenience of the Data Subject in requesting access to his Personal Data. In 
general, too many entries would be confusing to the Data Subject while too few 
entries would involve unnecessary searching of the Authority's data systems in 
order to find the relevant Personal Data. Only a limited number of entries are 
expected from any Data User and each Subject Access request covers all the DPR 1 
Form B registrations associated with the specified DPR 1 Form A entry. The 
Registrar's advice on this matter [Notes to help you apply for registration p 2] is:- 
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"You may describe all the data you hold or use with one register 
entry, which may cover one or more purposes, or you may if you wish split 
your registration into several separate entries, each of which may contain 
one or more purposes. You should bear in mind that the Data Subject has the 
right to be given a copy of all Personal Data relating to him described in a 
single register entry, regardless of the number of purposes described in that 
entry. You must decide for yourself how you wish to register your purposes, 
and consequently how many entries you want in the register.” 


Potentially, the options range from a single entry for all the Authority's data usage 
to an entry for each computer system but the latter is believed by the Registrar to 
result in too many entries and would hence be confusing to the Data Subject and 
hence contravene Data Protection Principle 7. The early pilot trials of registration 
tested approaches using a single registration (Yorkshire), multiple registrations 
based on geographic or administrative units (Bradford and East Anglia), an 
approach using 30 administrative units which was refused by the Registrar 
(Cambridge) and an approach with three entries [A Forms] based on:- 


Patient Related Purposes 
Staff Related Purposes 
Other Purposes 


This last approach was found to be most satisfactory and was recommended to the 
NHS Authorities irrespective of size or organisation as being the approach that was 
most likely to be satisfactory when Subject access became effective on 11 November 
1987. It was envisaged that the Authorities in Northern Ireland might need an 
additional A Form to cover "Clients". 


Community Health Councils, General Practitioners, and Family Practitioner 
Committees must register separately where they hold Personal Data. 


In the event, the Registrar found "Other Purposes" unacceptably vague and 
" requested that the third entry should be described as "Miscellaneous Purposes”. 


In practice, Authorities registered in a wide variety of ways and, undoubtedly, some 
of the more complex approaches will prove too cumbersome for practical use. 
Some Authorities have found it helpful to include a fourth Part A Form for Word 
Processing and Electronic Mail systems or for Contractors but this is in the nature 
of a refinement rather than a fundamentally different approach. A single Part A 
Form would impose too great a complication in searching all the data systems 
whereas the use of many Part A Forms for handling various patient of staff systems 
run by a single Authority would seem unnecessary and confusing. 
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It is still too early to be sure of the best approach, from the point of view of Subject 
Access, but it is already becoming apparent that the administrative and technical 
effort of searching a multiplicity of computer systems can be reduced by helping the 
Data Subject to target the specific Personal Information required. In the very 
complex NHS environment any clearly distinct and logically separate activity is 
worth registering as a separate Register entry (DPR Part A form, with associated 
Part B forms). Accordingly, the following refinement of the original advice looks 
attractive:- 


1 Staff Related Purposes 


2 Supplies Administration and Contractor Purposes (single personal companies 
and named contractors) 


3 General Patient Care Purposes 


4 Specific sensitive Patient Care Registers requiring special security such as:- 
a Child Abuse Register 
b Mental Handicap Register 


5 Word Processing and Electronic Mail Purposes 

At Regional level additional entries might be required for distinct activities such as:- 
1 Cancer Registry Purposes 

2 Blood Transfusion Purposes 

3 Organ Transplant Purposes 


During the Subject Access Trials considerable difficulties have been experienced in 
attempting to search all patient care systems related to the relevant Register entry 
for Personal Data which actually exists on a few systems. Some further sub-division 
of the entry for Patient Care Purpose might reduce these problems but it is 
considered that the patient's Physical and Mental Health Data should be treated as a 
whole for the purposes of Subject Access and, therefore, registration. 


It is likely that any Health Authority which has not registered an entry for Word 
Processing Systems will be breaking the law unless it has ticked "Uncategorised 
Information C132" on all registrations. However, this latter approach would mean 
that all word processing systems would need to be searched for retained 
correspondence, etc, for each Subject Access request - an impossibly difficult 
administrative and technical task! A separate Register entry would be easier. 
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Where Hospital Activity Analysis or Kérner Data Sets dealing with individual 
patients do not include the identity, or access to the identity of the individual, as 
frequently happens at Regional Authority level, this does not qualify as holding 
Personal Data. Such databanks need to be treated securely, as would be required of 
Computer Bureaux, but they do not need to be registered and are exempt from 
Subject Access. As a matter of policy some Regions may feel this a desirable 
approach. The inclusion of a patient record number does not identify a patient to a 
Regional Health Authority, which does not normally hold a patient master index, 
but it certainly does identify a patient to a District Health Authority which does hold 


an index. 


Such a database may be used by several Health Authorities for a variety of purposes, 
but it will not be possible to claim Subject Access exemption under the Statistics and 
Research exemption for those Authorities whose usage would be covered by this 
exemption if only they were using the database. 
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2.10 Linking Computer Systems and Registration 


Forms 

It is necessary to remember that data usage not computer systems must be 
registered. Thus a single Part B form can be used to register several different 
physical computer systems which have the same purpose and the same types of 
records. Correspondingly, a single computer system may require several Part B 
registration forms if it is used for a number of different purposes. The draft Part B 
forms obtained during the Data Usage Interviews can now be assembled into the 
groups concerned with the chosen registration strategy and each group has to be 
examined to see which of the draft Part B forms registering the same purpose 
codes are sufficiently alike to enable them to be described by a single composite 
Part B form. For instance, many departments have sub-directories of working 
contacts consisting of name, work address and work telephone number [virtually the 
lowest level of Registerable Personal Data] and it would be confusing to register 
each department's system separately under the purpose "Ancillary and Support 
Functions* P012". A single registration simplifies the administration and 
paperwork provided that a two-way look-up table is maintained which records 
which systems are registered under which Part B forms and vice versa. 


A very sensitive collection of Personal Data requires separate registration [see 
below] but in between these two extremes, it is desirable to minimise the number of 
forms consistent with a proper description of the data holding and usage. Any 
group of Part B forms with a single purpose with basically the same groups of Data 
Subjects, Data Classes, Sources and Disclosures should be examined for possible 
grouping and frequently a few extra items will allow the grouping to take place. 
Generally, patient and staff systems will require separate registration but this will 
happen automatically if the recommended format is adopted. However, the patient 
systems will also list the consultant as a Data Subject as well as the "Patient S026" 
under "Advisors, consultants, professional and other experts S013" [the Registrar's 
form does not provide a very convenient description here of a consultant medical 
or dental practitioner, similarly a well baby cannot be described as a patient and 
"Minors S031" seems the best compromise]. It is unnecessary to register the 
existing Hospital Activity Analysis system separately from the new K6rner system 
when a few extra data classes will cover both requirements. In some circumstances 
it is useful to have several Part B forms covering a single purpose where security is 
an issue that can be more effectively reflected in that way. For instance a Blood 
Transfusion Service might have separate Part B forms for the Blood Donor 
Administration and the Laboratory Results System to emphasise that these systems 
are operated quite separately in to ensure the confidentiality of the information. 


In the process of combining and organising the various groups of forms the Part B 
form [section B1] has a space in which it is possible to relate the form to specific 
parts of the organisation, specific activities or to specific systems or groups of 
systems. The use of this section [which is entirely optional] may be of assistance to 
both the Data Co-ordinators handling the registration for the Authority and to Data 
Subjects reading the register with a view to making a Subject Access request. 
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2.11 Very Sensitive Systems 
In relation to very sensitive systems, the Registrar's Note 1 on the standard purpose 
"Provision of Health Care* P062" reads:- 


"If you hold data on any of the following specific purposes, you MUST 
indicate this in the space provided:- 


Genetic Services 
Contraceptive Services 
Abortion Services 
Infertility Services 
Care/Treatment of persons suffering from: 
- Mental Illness 
- Addiction 
- Sexually Transmitted Diseases" 


In addition to the above areas there will be those systems holding sensitive Personal 
Data for epidemiological and other operational and research purposes eg Cancer 
Registry. This requirement of the Registrar is taken to apply to systems specifically 
for the services listed rather than to general health care systems that happen to have 
isolated codes, such as the International Classification of Diseases [ICD] which will 
record in some instances a diagnosis that is included in the list. Where such 
specialist systems are to be registered, it is strongly recommended that a separate 
DPR 1 Part B Form should be used in order specifically to identify Personal Data 
held by the Authority for any of the purposes listed above by the Registrar. In these 
cases any grouping of Part B forms concerned with these services with the Part B 
forms concerned with general patient care would tend to conceal the existence of the 
specialist Personal Data and would not comply with the Registrar's intentions in 
specifically recording the existence of High Security data holdings for which he may 
wish to make special arrangements. 


In very sensitive cases it may be appropriate to maintain a totally separate register 
entry by including this registration under a separate DRP1 Part A Form as well. 
Furthermore the Secretary of State may make an Order under Section 2(3) to 
provide additional safeguards for such sensitive data. 


The handling of registrations and Subject Access under the Data Protection Act 
1984 is sufficiently complex that many Authorities will find it helpful to use some 
form of computer assistance. The simplest approach is to use one of the large 
integrated spreadsheet systems to record the relevant information but a number of 
commercial systems are becoming available. At present the most comprehensive 
system at present is that commissioned by the Information Services Division of the 
Scottish Office. 


34 -Chapter2 NHS Data Protection Handbook [version 3.0] May 29, 1987 


Pa 


2.12 Preparing Valid Registration Forms 

The application must be made on the official forms DPR1 [see Annexe 2.6] which 
are obtainable in sets from all Crown Post Offices. Each set consists of one Part A 
form, three Part B forms, labels and return envelopes and a copy of the Registrar's 
booklet "Notes to help you apply for Registration". This booklet on 
registration is mandatory reading for anyone attempting to register even simple 
systems under the Act. Additional Part B forms may be obtained on request. In 
case of any difficulty supplies of both forms and the Registrar's various publications 
can be obtained from:- 


Office of the Data Protection Registrar 

Springfield House, Water Lane, 

WILMSLOW, Cheshire, SK9 5AX 

tel 0625-535777 [enquiries] or 535711 [administration] 


It is important to note that the Registrar will not accept applications on photocopies 
of these forms; the original forms are required for making any application. 


One DPR1 Part A form is required for a single entry in the register and one DPR1 
Part B form is required for each purpose described in that entry. Since it takes the 
Registrar some time to acknowledge and verify application forms, and since valid 
applications can normally be treated as effective form the time that 
they are posted by recorded delivery [except where a registration has 
previously been refused or where the Data User is the subject of a De-registration 
Notice; see Chapter 2.9 (b) above] it is worth making sure that the application 
constitutes a valid application. This requires:- 


Part A forms 


Page 1 
1 The declaration on page 1 of each Part A form must be 


signed for the Authority preferably by the General Manager 


2 A fee of £22 must be enclosed with each DPR1 Part A application 
form 


3 Data Users must insert the number of Part B forms included 
with the Part A form 


Page 2 
4 Section Al Type of Application: Tick Data User and Computer 
Bureau normally 
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Page 2 
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Page 3 


10 


11 
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Section A2 Name and Address: Insert the official name and 
address of the Authority. Failure to keep these names and 
addresses up to date is an offence under the Act 


Section A3 Contact Name and Address: Insert the name of the 
Data Protection Co-ordinator, or other designated officer, with his 
address if it is different from that given in section A2 


Section A4 Company Registration Number is not applicable 


Section AS Other names is not applicable 


Section A6 Organisation sub-division: The details depend on the 
details of the Authority's approach to registration, and its data usage 
(eg RHA or DHA) but may look like the following:- 


Staff Related Purposes 

Supplies Administration and Contractor Purposes (single 
personal companies and named contractor) 
General Patient Care Purposes 

Specific sensitive Patient Care Registers such as:- 
a Child Abuse Register 

b Mental Handicap Register 

Word Processing and Electronic Mail Purposes 
Cancer Registry Purposes [if applicable] 

Blood Transfusion Purposes [if applicable] 
Organ Transplant Purposes [if applicable] 


hw Ne 


ara ann 


Section A7 Period of registration: this should be left blank to 
obtain the standard three year registration period 


Section A8 Subject Access Addresses: Authorities will normally 
use the single address of the Data Protection Co-ordinator by ticking 
box A3 [this is not required in cases where a Computer Bureau only is 
being registered] 
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Page 1 
1 


Page 1 
4 


Page 2 
5 


Page 3 
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Application Number: The number from the associated Part 
A form must be entered at the top of the Part B form. It 
does not have any lasting significance as a registration number but it 
provides an essential linking function before the register entry has 
been processed. The actual Registrar's reference number is provided 
when he acknowledges the receipt of the registration and until that has 
happened, it is not possible to edit an entry 


Section B1 Purpose: Method 1, in which the Registrar's standard 
purposes are coded, should be used. The standard purpose code 
selected from the Registrar's Notes to help you apply for registration 
should be entered together with the name of the purpose. Only ONE 
PURPOSE is permissible for each Part B form 


Section B1 Purpose Marked Codes: Wherever the standard 
purpose code is marked with an asterisk (*) the code must be 
amplified by additional information in the section of the 
form immediately below the purpose code as indicated 
by the notes relating to the code 


Section B1 Purpose: As with the Part A forms, it is possible but 
not necessary to relate the form to a specific part of the organisation 
or activity 


Section B2 Description of Personal Data - Data Subjects: 
The Data Subjects are listed from S001 to S040 on the form and 
appropriate selections should be made for the purpose concerned 
indicating whether the Data Subjects are "Current", "Past" or 
"Potential". Multiple Data Subjects are permissible and additional 
information can be added to describe the Data Subjects if required. 
Not every individual named or referred to in the computer record is a 
Data Subject but the list of groups of such individuals is a good starting 
point. Where it is not possible to search the records by reference to 
particular groups of individuals they should not be recorded as Data 
Subjects but if there is any doubt it is better to include them as Data 
Subjects 


Section B2 Description of Personal Data - Data Classes: 

The Registrar's Notes provides more information about the 
specification of the Data Classes C001 to C132. The starting point is 
the computer records for the systems to be covered by the 
registration Additional descriptive material may be added if desired 
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Section B3 Sources and Disclosures: The sources and 
disclosures D101 to D382 are grouped for convenience into 
those relating to the Data Subject, those relating to the Data User and 
to those relating to other organisations or categories of individuals. All 
possible sources of the data should be ticked, all normal disclosures 
should be ticked and then careful thought should be given to all the 
forseeable circumstances in which the proper use of the Personal Data 
for the purpose registered might require additional categories of 
disclosure and these should be added to the form. Such disclosures may 
never be made but they allow the Data User to make them if he 
considers it necessary for the purpose registered otherwise such 
disclosures would not be allowed. Technically, it is not necessary to 
include disclosures covered by the non-disclosure exemptions but 
routine disclosure to "employees, agents D203” seems a reasonable 
precaution and it is prudent not to rely on statutory exemptions where 
information is supplied outside the Authority as frequently current 
practice provides somewhat more information that is required by 
statute. It should be noted that the Office of Population, Censuses and 
Surveys [OPCS] is separate from DHSS and must be registered 
specifically at the end as "D309 Office of Population, Censuses and 
Surveys". In addition, all systems should have a routine disclosure 
under "Suppliers, providers of goods or services D206" in the text 
section as "D206 Necessary disclosure during the repair or 
maintenace of equipment" wherever there is no other disclosure 


under D206. 


The Registrar will not accept forms where all boxes are ticked to 
ensure that the Data User can make any disclosure he wishes. The 
disclosures must be reasonable in relation to the purposes 
registered. Incidentally, a Data User cannot be sued for making 
disclosures that he has registered [see Handbook 1.12 above or Section 
23(1)c,(2) of the Act] 


Section B4 Overseas Transfers: Where the Personal Data are 
transferred overseas [this includes the Isle of Man and the Channel 
Islands] in magnetic, or other computer-readable, form or over 
computer links this transfer must be recorded. Most forms will need a 
tick against "None TO000". The response "Worldwide T999" should 
only be used where there is genuine and unpredictable worldwide 
transfer needs [see Guideline 3 pp22-23] 
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Page 7 
9 Continuation: additional text can be added as required to clarify the 
data usage but this should not normally be necessary 


The Data Protection Register is available for inspection at the Office of the Data 
Protection Registrar during normal office hours but microfiche copies are available 
in most public libraries. These copies will not include any new or updated 
registrations since the last updating period. Copies of a Register entry can be made 
available by the Registrar for a fee of £2 per entry. 


Before the assembled registration forms are posted, by recorded delivery, the 
Data Protection Co-ordinator should arrange to have good quality 
photocopies produced so that copies of the various registrations can be 
made available to Heads of Departments, Data Custodians and 
Authorised Users. Indeed, where a valid registration has been sent to the 
Registrar, the only method of knowing what has actually been registered during the 
period until the Registrar's official copy of the registration entry arrives is by 
inspecting the Data Protection Co-ordinator's copies of the registration forms. 
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2.13 Checking the Register Entries 

When the Registrar receives the registrations he will acknowledge their receipt and 
provide a reference number by which the registrations may be referred and 
possibly edited. Subsequently, he will issue a notification of acceptance which will 
include a copy of the relevant register entry. It is the responsibility of the Data 
User, or Computer Bureau, to check that the detailed register entry are a true 
record of the submitted details and if necessary correct any errors. 
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2.14 Maintenance of Registrations 

It is the responsibility of the Authority to ensure that any new uses of Personal data, 
or any additional data items which are collected are covered by an appropriate 
register entry. If the existing register entries do not cover the change, then an 
amendment to an existing entry should be submitted to the Registrar. It is expected 
that a completely new entry to the register will not normally be required where a 
Data User has been properly registered in the first place. The Registrar has 
indicated that there will be no charge for amending details in a register entry during 
the period for which it was submitted. Amendments are made on forms DPR2 but 
sometimes it is easier to submit this in conjunction with a DPR1 Part B form to show 
the new registration of a purpose rather than attempting to effect this by a series of 
editing manoeuvres using the DPR2 form alone. 


Clear arrangements must be made with the Heads of Departments and Data 
Custodians to ensure that they understand the requirements of the Data Protection 
Act 1984 and the implications of the registrations made for the data usage for which 
they are responsible. It is up to them to set up the necessary documentation and 
training to ensure that those they record as Authorised Users are aware of the 
proper arrangements for using the systems and that they only use them within those 
agreed arrangements. 


When any new equipment or computer system is being considered for purchase, use 
or development, or new data items contemplated for collection, or any new sources 
considered for existing data items or any new disclosures required or any Overseas 
Transfers contemplated them this MUST BE DISCUSSED WITH THE DATA 
PROTECTION CO-ORDINATOR BEFORE ANY ACTION IS TAKEN 
so that additional registrations may be raised if necessary, or that due weight can be 
given to any operational or security requirements in respect of the new facilities in 
order to ensure that the Authority continues to function within the requirements of 
the Act and its registrations under the Act. Any changes required to the 
registrations, the procedures in Code of Practice or any User Manuals and the main 
Authority Data Protection Records can then be made. 


In order to ensure compliance with the Act it is difficult to see any alternative to a 
regular departmental compliance check every six months, or at least every year, to 
verify that no changes have occurred in equipment, systems or data usage since the 
last check. Similarly, the agreed procedures and security arrangements must be 
examined to ensure that they are functioning correctly. Compliance with the Act is 
an ongoing responsibility for all concerned with the use of computers and the 
associated data systems. 
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2.15 Approving New Systems 


The steps for approving new or amended systems should be as follows:- 


1 All new systems should be formally approved from the point of view of Data 
Protection. Applications for approval should provide the necessary draft 
documentation for:- 


Names of Data Custodians 

The Authority's equipment register [without serial numbers at this 
stage] 

DPR1 registration forms or statement of which existing registrations 
apply [usually only Part B] 

User Manual for the system 

List of Authorised Users 


2 The proposed usage should be certified as complying with the Authority's 
Code of Practice and any proposed departures should be noted for examination 
and resolution. 


3 User requirements and operational requirements should contain sufficient 
detail about the Data Protection requirements of the system for any system 
designers or suppliers to be able to respond specifically. 


4 On approval of the system all the draft material, as finally edited following 
detailed discussions, should then be adopted as official Data Protection 
documentation. Serial numbers of the equipment should be added to the 
Equipment Register and the equipment should be appropriately labelled 
according to Authority policy. The additional registrations must be added to 
the Authority's registrations and the records of systems and registrations 
up-dated. The Code of Practice should be modified if necessary and the User 
Manual should be adopted. Finally, Data Custodians should be appointed and 
arrangements made for listing and training the Authorised Users. 


Most of the systems currently in use are not designed to cope with the requirements 
of the Data Protection Act 1984. However, all new systems should take account of 
the special requirements of the Act. In particular, facilities should be provided as 
follows:- 


a A Printed Copy of Personal Data 

A printed copy of the Personal Data for any Data Subject included 
within the system in which all the codes are translated into intelligible English. 
Material which relating to other Data Subjects and other information that 
might not be legally required to be released could be provided on a separate 
page. The basic objective should be to obtain a copy of the relevant Personal 
Data that could normally be released with the minimum of administrative 
effort. 
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b A Secure Computing Environment 

In order to provide data security and data integrity the system should be 
designed to be run in a suitably secure computing environment taking into 
account the sensitivity of the Personal Data and the physical environment in 
which it will have to operate. 


c Quick Look-Up Facilities for Personal Data 

If the printout is provided by a routine batch processing run it may be 
helpful for rapid look-up facilities to be provided so that the Personal Data 
may be easily inspected without awaiting the results of the batch run. 


The detailed requirements for new systems will be developed for later inclusion in 
this Data Protection Handbook. 
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2.16 Summary for Computer Bureaux 

The registration of Computer Bureaux is very much simpler than the registration 
required by Data Users and it is outlined in Guideline 8. The main requirement 
placed on Computer Bureaux by the Act is that of taking the necessary security 
measures against loss, unauthorised destruction or unauthorised disclosure of 
Personal Data as required by the Eighth Data Protection Principle. 


This approach is based on the concept that the Computer Bureau has no interest in 
the actual details of the Personal Data passing through its systems. If this is not true 
it must register as a Data User in its own right for the data usage and purposes 
involved. In the case of Regional Health Authority Computer Bureaux, they gain no 
extra access to data held by District Health Authorities simply by virtue of 
processing their data. If a Region wishes to obtain access to a District's Personal 
data then the District must have registered a suitable disclosure and it must have 
given written instructions to the Computer Bureau to provide the specified Personal 
Data to the RHA. The RHA cannot simply instruct the Regional Computer Bureau 
to obtain and hand over the required Personal Data without undermining the basis 
on which it has registered as a Computer Bureau. The long history of requests to 
Regional Computer Centres for information from DHSS, OPCS, Regions and 
Districts will in future have to take account of the fact that the Personal Data will be 
held by the specified Data Users and they alone can agree to its release. 


When the Computer Bureau releases information from batch processing runs this 
must always be to a properly authenticated representative of the Data User. The 
individual must either be personally known to the person releasing the information 
or have some suitable authorisation [eg password or signed authority] for collecting 
the material concerned. It is not enough that the individual comes in uniform or a 
Health Authority van. 


Where the Computer Bureau extends its activities from processing to the disclosure 
if Personal Data either as output, on magnetic media or through some network it is 
important that the Bureau should realise that it is acting as the Data User's agent and 
must observe all the relevant Data Protection Principles in exactly the same way as 
the Data User itself. In these circumstances, the Computer Bureau can be 
prosecuted for "Knowingly or recklessly using data, obtaining or 
disclosing data or transfering data". 


The Bureau should 


"obtain an assurance from its customers who are registered Data Users that any such 
act which it performs on their behalf is covered by their Register entries" 
[Guideline 8 p6]. 


The easiest way of ensuring that a Bureau is operating legally in such circumstances 
is for the Computer Bureau to require that all Health Authorities provide copies of 
all relevent registrations. In this way any requested disclosures can be verified as 
being registered. - 
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aN 


A standard contractual provision would be a useful way of ensuring that the proper 
procedures are observed. 


Where aggregated Personal Data is involved, the Act does not apply unless an 
individual can be identified from very small aggregates. However, it is good 
practice for Districts to retain control of their Personal Data and give a general 
release to the Regional Bureaux for issueing aggegated Personal Data to RHA, 
DHSS or OPCS for planning and management purposes. 
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Annexe 2.1 - Staff Notice 


Protection of Personal Information 
The Data Protection Act 1984 


Protection of data about individuals is now a requirement of the Law. 
The Data Protection Act 1984, which is now in force, lays down that:- 


* data shall be obtained and processed fairly and lawfully 
7 data shall be held only for specific purposes and not used 
or disclosed in any way incompatible with these purposes 


All persons that use information on a computer or produced from a 
computer have an obligation to see that it is not passed on in any 
unauthorised way. 


This means, among other things, that printouts and microfiche must be 
treated carefully and that staff must not disclose personal information 
obtained from computers or any computer output in any way other than 
as required for the discharge of their duties to the Authority. 


If an individual is found to have permitted any unauthorised disclosure 
of Personal Information they can face prosecution. 


If you are in any doubt as to which disclosures are authorised, ask to 
see a copy of the Authority's registration covering your work. No 
disclosure which is not covered by this registration or one of the 
exemptions under the Act is permitted. 


Remember 
* TREAT PERSONAL INFORMATION WITH CARE 


* DON'T PASS ON PERSONAL INFORMATION TO 
UNAUTHORISED PERSONS 


After 11 November 1987 the Law will give each person the right to see 
the data concerning him or herself that is held on a computer. Any 
such requests should be passed on to the Authority's Data Protection 
Co-ordinator who will see that the request is handled expeditiously. 
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Annexe 2.1 - Staff Notice (continued) 


Protection of Personal Information 
The Data Protection Act 1984 


NON HEALTH AUTHORITY COMPUTERS 
Staff wishing to use non-Health Authority computers, 
including home computers, for any aspect of Authority business must 
ensure by discussion with the Authority's Data Protection Co-ordinator 
that their proposed activities comply with the Authority'registrations, 
Policies and Code of Practice. An appropriate User Manual will 
specify the particular arrangements for the use envisaged. 
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Annexe 2.2 - General Staff Contract Clause 


Your attention is drawn to the confidential nature of this post. 
Disclosures of confidential information or disclosures of any data of a 
personal nature can result in prosecution for an offence under the Data 
Protection Act 1984 or an action for civil damages under the same Act 
in addition to any disciplinary action taken by the Authority which 
might include dismissal. 
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Annexe 2.3 - General Contractor Clause 
The Contractor undertakes: 


a__ to treat as confidential al information which may be derived from 
or be obtained in the course of the contract or which may come onto the 
possesion of the contractor or any employee, servant or agent or 
sub-contractor of the contractor as a result of or in connection with the 
contract; and 


b to provide all necessary precautions to ensure that all such 
information is treated as confidential by the contractor, his employees, 
servants, agents or sub-contractors; and 


c to ensure that he, his employees, servants, agents and 
sub-contractors are aware of the provisions of the Data Protection Act 
1984 and that any Personal Information obtained from the Authority 
shall not be disclosed; and 


d to indemnify the Authority against any loss arising under the Data 


Protection Act 1984 caused by any action, authorised or unauthorised, 
taken by himself, his employees, servants, agents or sub-contractors. 
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Annexe 2.4 - Clause for the Suppliers of Computer Hardware, Software 
and Maintenance Services 
[set out for use as a separate form of agreement to cover its normal usage] 


Data Protection Certification Form 


Suppliers of Computer Hardware, 
Software and Maintenance Services 


Name of Organisation 
Address of Organisation 


Telephone Number 


On behalf of the above organisation I certify as follows:- 


1 My organisation is appropriately registered under the Data Protection Act 
1984 and is legally entitled to undertake the work agreed in any contract with 
the Authority. 


2 My organisation will abide by the requirements set out on the reverse side for 
handling any of the Authority's Personal Data disclosed to my organisation 
during the performance of such contracts. 


signed 

Name of individual 
Position in Organisation 
Date 
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51 


The following Code of Practice applies where access is obtained to 
an Authority's Personal Data (as defined in the Data Protection 
Act 1984) for the purpose of preventive maintenance, fault diagnosis, 
hardware or software testing, repair, upgrade, replacement or any other 


related activity. 
The access referred to in paragraph 1 above may include:- 


Access to data on the Authority's premises 

Access to data from a remote site 

Examination, testing and repair of media (eg fixed disc assemblies) 
Examination of software dumps 

Processing using the Authority's data. 


ono S& & 


The Supplier must certify that his organisation is registered appropriately 
under the Data Protection Act 1984 and legally entitled to undertake the work 


proposed. 


The Supplier must undertake not to transfer the Personal Data out 
of the UK unless such transfer has been registered and has been 
previously approved by the Authority. 


The work shall be done only by authorised employees, servants, or 
agents of the contractor (except as provided in paragraph 10 below) who are 
aware of the requirements of the Data Protection Act of their individual 
responsibilities under the Act to maintain the security of the Authority's 
Personal Data referred to in paragraph 1 above. 


While the data is in the custody of the contractor it shall be kept in 
appropriately secure conditions. 


Any data sent from one place to another by or for the contractor 


shall be carried by appropriately secure means. 


Where computer readable storage media containing Personal Data 
are not returned to the Authority after repair or refurbishment, any Personal 
Data thereon shall be physically erased from the media by the contractor 
before re-use of the media. 
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9 Where Personal Data is recorded in any intelligible form, it shall 
either be returned to the Authority on completion of the work or 
disposed of by secure means. 


10 Where the contractor sub-contracts any work for any of the purposes in 
paragraph 1 above, the contractor shall require the sub-contractor to observe 
the standards set out in 3-7 above. 


11 The Authority shall, wherever practical, arrange for the equipment or 


software to be maintained, repaired or tested using dummy data that does not 
include the disclosure of Personal Data 
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Annexe 2.5 Health Authority Equipment Census Record 


0|Department [Data Custodian |System Location |Equipment Computer/VDU/Printer 
1 OR NS oEeERD Coes ils HG 


Record No 


Serial Number 


Page 1 Date Department 


Head 


Annexe 2.5 Health Authority Equipment Census Record Record No 


O[Purposes [Data Subjects[Data Classes [Sources [Disclosures [Transfers [Maintenance |Notes 
Tg FEA EA LAOS ARIS, ER EAR TG UG SN AE 
|| a 
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Page 2 Date Department Head 


THE DATA PROT! ECTION REGISTRAR. 


Form DPR. 1 
About this form 


Declaration 


For use by Registrar only 


Annexe 2.6 


Application for Registration Ae lesen ls) 
Data Protection Act 1984 4 v7, a 0 2 9 ii 


Please read this section before completing the form 


How to apply for Registration 

The application form is in two separate parts: 

This part (Part A) is for information about the applicant and other details covering the whole 
application. 

Part B is for a description of a Purpose for which personal data are to be held or used, and 
a description of the data and associated details. You will need to complete one Part B in 
respect of each Purpose you wish to register. 


You should read the accompanying Notes booklet before completing the form. The Notes 
contain rules and conditions which the Registrar will apply, as well as standard descriptions 
and definitions which you will need to consult. It is important that you read the Notes 
booklet carefully. 


In completing form DPR.1, please use a typewriter or, if handwritten, use BLOCK CAPITALS 


If your application is accepted, all the details given on this form, except for those in A3 and 
the declaration, will appear in the Register and will be available for public inspection. 


Do not use this form to: 
Alter or remove an entry already on the Register —use Form DPR.2 
Renew an entry already on the Register —in this case you will be sent a 
renewal reminder 


Further registration packs, and extra copies of Part B, can be obtained from Crown Post 
Offices and from the Office of the Data Protection Registrar, Springfield House, 
Water Lane, Wilmslow, Cheshire, SK9 5AX. 


Completed application forms, together with the appropriate fee, should be sent 

to the Registrar at P.O.Box 66, Wilmslow, Cheshire, SK9 SAX. This address 
must only be used for applications. Other correspondence should be sent to the full 
address given above — it may be seriously delayed if sent to PO.Box 66. 


To be completed by all applicants 


Please fill in the rest of the form before completing this declaration. 


To the best of my knowledge and belief the particulars given in this application are 

correct and complete. | confirm that | am the Data User or Computer Bureau named in . 

section A2 or that | am authorised to act on behalf of that Data User or Computer 
jureau, 


| have read the Notes booklet and understand the Registrar's conditions which it contains, 


| enclose the fee of £22.00 Date 


Signature 


Name 


Position 


It is an offence knowingly or recklessly to furnish the Registrar with information which is 
false or misleading in any material respect. 


Data Users Only 


Write here the number of Parts B forming part of this ES 
application. 


Exception No. Receipt date Registration No. 


ee ae eo eee |e 


A1 Type of application 


A2 Name and address 


A3 Contact name and address 


A4 Company Registration Number 


All applicants must complete sections A1 and A2, and where appropriate, A3- AS 


Tick the appropriate box to indicate whether this Data User and Bureau I] 

application is for registration as a Data User, a Computer : 

Bureau or both. B [| 
jureau only 


Data User only CJ 


Write here the name and address of the Data User or Computer Bureau for whom this 
application is made 


Name 


—— eee 


Address 


You may wish to give the name and address of a contact person in your organisation with 
pe ie Registrar should discuss matters concerning this application. If you do, write it 
ere: : 


Namel/Job title 


Address (if different from that given in A2) 


Code Phone No. Extn 


If the application is on behalf of a registered company, write the company registration number 
here. Otherwise leave blank. 


iw) 


A5 Other names 


A6 Organisation sub-division 


A7 Period of registration 


.A8 Subject access addresses 


You may wish to associate other names (eg. trading names) with this application. If you do, 
write the names here, starting each one on a new line 


You may wish to relate this application to a particular part or sub-division of your 
organisation. If you do, write the name here 


The initial period of registration will be 3 years unless LJ 
you specify a shorter period by ticking one of these boxes 1 year: 
2 years: I 


The remaining sections of this form (A8.and all of PART B) are for applicants 
wishing to register as Data Users. licants wishing to register as Computer 
Bureaux only should now complete the declaration on page 1. 


You must give at least one address for the receipt of requests from data subjects for access 
to the data described in this application. 


If you wish to use one or both of the addresses A2 a 
already given in A2 or A3 — tick here: 
os L 


If you have not ticked one of the boxes above, you must write an address in the space 
below. If you have ticked one of the boxes, you may use the space below for a further 
subject access address: 


Address 


Post Code 


es 


lf you wish to give more addresses for subject access, turn to. page 4 


3 


Additional subject 
access addresses (Optional) _|f you wish to give additional addresses for subject access, use the spaces below: 


——— 


Address 
= a e : oe Post Code 
__ 
eeeeeeeeEEEEeeeeeeeeeeSSSSSSSSSSFSse 
Address 
Post Code 
eee IE 
Say TEFEN EEREEEEE 
Address 
= = Post Code 
_— ees 
ESSE 
Address 
vl ; = — Post Code 
——————————— eee 
SSeS 
Address 
Post Code 


iS a SE Ee 


Form DPR.1 Part A 9/85 Have you completed any related Parts B and signed the Declaration on page 1? 


BSS 


Printed in the UK for HMSO Dd 8938926 8/85 1152 


’ i 


Application No 
(from Part A) 


| Application for Registration 


| Data Protection Act 1984 m 
THE DATA PROTECTION REGISTRAR Please write in 


this number before 
Form DPR.1 Part B 


proceeding 
About this form = This form is for use only in conjunction with form DPR.1 A. 
You should read the Notes on the back of this form and the accompanying Notes booklet. 


B.1 Purpose In this section you should describe a Purpose for which data are held or used. 
There are two methods of completing this section of the form: 


Method 1. By selecting one of the Standard Purposes listed and described in the Notes 
booklet. 


You may then relate the Purpose to a specific part of your organisation or 
particular business activity. 


Method 2. By describing the Purpose in your own words. 
You are likely to find registration simpler and easier under Method 1 and you 
are strongly advised to use this Method if it can meet your requirements. 


Method 1 Select one of the Standard Purposes from those listed in the accompanying Notes booklet, 
and write both the code number and the title in the spaces provided below: 


cian RS ee Se 


code title 


you are required to give further details of your Purpose (see Notes booklet), write these 
ere: 


mS, 


ttn ESSE SSSR RSI 


If you wish to relate this Purpose to a specific part or parts of your organisation or particular 
business activity enter details here: 


Ee 


nm ce EEEEEnIE nnn SIRES SSIINEISSNSRRIIIRSNSSONINNN 


Method 2 (This method should only be used if Method 1 is inappropriate). ; 
lease describe the Purpose for which data are held or used, and, if you wish, the specific 
part or parts of your organisation or particular business activity to which it is related. 


i 


ih a i ee ee ee ne ee ee 
|_| | 


B.2 Description of Personal Data— Data Classes 


In this section, you should describe the Classes of personal data to be held for the Purpose described in B.1. Do this by ticking 
the appropriate boxes below. You should refer to the Notes booklet for examples of data items which might be covered by each 


Class. 
Identification Data 
Personal identifiers 


Financial identifiers 


Identifiers issued by public 
bodies 


Personal Characteristics 
Personal details 

Physical description 

Habits 

Personality, character 


Family Circumstances 
Current marriage or 
Partnership 

Marital history 


Details of other family, 
household members 


Other social contacts 


Social Circumstances 
Accommodation or housing 
Property, possessions 
Immigration status 

Travel, movement details 
Leisure activities, interests 


Lifestyle 


Membership of voluntary, 
charitable bodies 


Public offices held 


Licences, permits held 


Complaint, incident, accident 
details 

Court, tribunal, inquiry 
proceedings 


Education, Skills, Profession 


Academic record 


Qualifications and skills 


Membership of professional 
bodies C053 a 


coo1 
coo2 


co03 


coi 
coi2 
C013 


co14 


021 
co22 
c023 


co24 


C031 
co32 
C033 
C034 
C035. 
C036 
C037 
co38 
C039 
co40 


co41 


co51 


co52 


| 


BEEBE 


BE BR REBRERRES BREE 


Professional expertise 
Membership of committees 
Publications 

Student record 


Student financial records 


Employment Details 
Current employment 
Recruitment details 
Termination details 
Career history 

Work record 


Health & safety record 


Trade union, staff association 
membership. 


Payments, deductions 
Property held by employee 
Work management details 
Work assessment details 
Training record 


Security details 


Financial Details 


Income, assets, investments 
Liabilities, outgoings 
Creditworthiness 

Loans, mortgages, credits 
Allowances, benefits, grants 
Insurance details 


Pension details 


C054 
cos5 
co56 
C057 


cos8 


co6i 
c062 
C063 
co64 
Co65 
co66 
C067 
co68 
co69 
co70 
co71 
co72 


co73 


cost 
c082 
cos3 
cos4 
coss 
COs6 


C087 


a 
a 


| a | 


Details of Transactions 


Goods, services provided 
to the data subject 


Goods, services obtained 
from the data subject 


Financial transactions 
Compensation 


Business Information 


Business activities of the 
data subject 


Agreements, contracts 
Trading licences held 
Health & Other Classes 
Physical health record 
Mental health record 


Disabilities, infirmities 


Dietary, other special health 
requirements 


Sexual life 

Racial, ethnic origin 
Motoring convictions 

Other convictions 

Criminal intelligence 
Political opinions 

Political party membership 
Support for pressure groups. 
Religious beliefs 

Other beliefs 


Miscellaneous Information 


References to manual files, 
records 


Uncategorised information 


Ifyou wish, you may describe additional Classes of data here; start each description on a newline: 


co91 
cos2 
co93 


cos4 


C101 
C102 


C103 


cit 
c112 
C113 
C114 
C115 
C116 
Cli7 
C118 
C119 
C120 
C121 
C122 
123 


C124 


C131 


C132 


a 
PB 
O 
O 
ay 


B.3 Sources and Disclosures 
In this section, you should describe: 


In column A — The sources from which you intend or may wish to obtain any of the data you have described in section B.2. 
In column B — The person or persons to whom you intend or may wish to disclose these data. 


Do this by ticking the appropriate boxes below 


individuals or Organisations directly 
associated with the Data Subjects 


The Data Subjects themselves 


Family, relatives, guardians, trustees 


Other members of their households, friends, 
. neighbours 


Employers — past, current or prospective 
Employees, agents 


Colleagues, business associates 


Others — please specify here: 


D104 


D105 


D106 


Legal representatives 

Financial representatives 

Doctors, Dentists, other health advisers 
Social, spiritual, welfare, advice workers 
Other professional advisers 


Landlords 


Mere, 


IU Oe 


Individuals or Organisations directly 
associated with the Data User 


Members, including shareholders 
Other companies in the same group 


Employees, agents 


Recipients, customers, clients for goods 
\ or services 


Others — please specify here: 


D201 L_ | 
D202 LJ 


D203 LJ 
D204 a 


O 


Claimants, beneficiaries, assignees, payees 
Suppliers, providers of goods or services 
Persons making an enquiry or complaint 


Tenants 


Organisations or Individuals 
(General Description) 


Central Government 

Inland Revenue 

Customs & Excise 

Driver & Vehicle Licensing Centre (DVLC) 
Department of Education & Science (DES) 
Department of Health & Social Security (DHSS) 
Department of Employment 

Home Office 


Ministry of Defence, including armed forces 


Other central government, including 
Scottish, Welsh & Northern Ireland Offices* 


D301 


D302 


D303 


D304 


D305 


D306 


D307 


Li ie | 


D308 


D309 


Local Government 
Education department 
Housing department 


Social Services department 


Electoral registration, Assessment, 
Valuation departments 


Other local government 2 
Other Public Bodies 
Other public bodies not elsewhere specified " 


. ee 
Foreign governments or authorities 


D331 


D332 


Continued 


B.3 Sources and Disclosures Continued 


a £ 
- 
i? fd 
¢ 
Justice a oe Other ay Au 
Police forces D341 [ Public utilities D361 
Prosecuting authorities D342 a i Banks D362 
Other statutory law enforcement agencies, paqg Building societies D363 
investigating bodies * ae San oe 
The courts D344 LJ LJ Insurance companies D364 _ 
Judges, magistrates D345 [| ia Other financial organisations * D365 
Prison service D346 L] L] Accountants & auditors D366 
Probation service D347 |_J L] Lawyers D367 1 | 
Health & Social Welfare Credit reference agencies D368 ea 
Debt collection, tracing agencies D369 
Health authorities, family practitioner p354 Pe 


mmit 
committees Employment, recruitment agencies D370 


Hospitals, nursing homes D352 


Registered medical practitioners D353 


Trade, employers associations D372 


Private detective agencies, security organisations D371 a 
Registered dental practitioners D354 rq 


Trade unions, staff associations D373 


EBBBE 
BEE ES 


Nurses, midwives, health visitors D355 


Professional bodies D374 


Other health care agencies, practitioners” D356 : As 3 
Voluntary, charitable, religious organisations D375 
or associations 


Social welfare agencies, practitioners * D357 


Political organisations D376 — 


examining bodies 


Education or training establishments, D377 | 


Survey or research organisations, workers D378 


Providers of publicly available information, 
including public libraries, press and media 0379 =z. 


Providers of privately available information 
and databanks 9380 |} |_| 


Traders in personal data D381 


Other organisations or individuals“ p3a2 


You should use the space below to give further details if you wish to use one or more of the categories 
marked with an asterisk (*) above. You should give the code number for each category which you are 
explaining. 

If you'wish, you may also write here additional descriptions of Sources and Disclosures: 


If you are using the space below, start each description on a new line and indicate whether the item is a Source, 
a Disclosure, or both. Ra 


How to apply for Registration 


How to complete this form 


Form DPR.1 Part B 9/85 


The application form is in two separate parts: 


Part A is for information about the applicant and other details covering the whole 
application. “ 


This part (Part B) is for a description of a Purpose for which personal data are to be held or 
used, and a description of the data and associated details. You will need to complete one 
Part B in respect of each Purpose you wish to register. 


You should read the accompanying Notes booklet before completing the form. The Notes 
contain rules and conditions which the Registrar will apply, as well as standard descriptions 
and definitions which you will need to consult. It is important that you read the Notes 
carefully. 


In completing form DPR.1, please use a typewriter or, if handwritten, use BLOCK CAPITALS. 


Do not use this form to: 
Alter or remove an entry already on the Register — use Form DPR.2 
Renew an entry already on the Register — in this case you will be sent a renewal 
reminder. 


Further registration packs, and extra copies of Part B, can be obtained from Crown Post 
Offices and from the Office of the Data Protection Registrar, Springfield House, 
Water Lane, Wilmslow, Cheshire, SK9 5AX. 


Completed application forms, together with the appropriate fee (see Notes Booklet), should 
be sent to the Registrar at P.O.Box 66, Wilmslow, Cheshire, SK9 5AX. This address 
must only be used for applications. Other correspondence should be sent to the full 
address given above — it may be seriously delayed if sent to PO. Box 66. 


Jn each section of Part B you may use standard descriptions to provide the detail required. 
Although you also have the option of writing your own descriptions in free text, you are 
strongly encouraged to use the standard description approach. In most sections 
this is simply a matter of selecting the appropriate descriptions from the list printed on the 
form and ticking the corresponding boxes. ~ 


The standard descriptions for Purposes are not printed on the form but are listed in the 
separate Notes booklet. You will need to read these before filling in the form. You should 
also refer to the booklet when selecting descriptions for Data Classes. 


Before completing the rest of the form you should write the application number 
(copied from the front of Part A) in the box provided on the front of this Part B. 


If your application is accepted, the details givenin sections B.1 to B.4 will appear on the 
Register and will be available for public inspection. 


Ifyou need more space than is provided for text in any Section, you may continue on page 7. 


Printed in the U.K. for HMSO, Dd, 8938928 9/85, W549 


Application for Alteration or Form DPR.2 
THE DATA PROTECTION REGISTRAR RemovalofaRegisterEntry  . 


Data Protection Act 1984 
PartA 


A.1 Details of Name 
Applicant 
(see Note 1) Address 


Post 
Code 


User Number (issued onthe 
confirmation of your Register entry). 


A.2 Register Entries 
tobe altered 
(see Note 2) 


Now turn to Part B overleaf 


A.3 Register Entries 
tobe removed 
(see Note 3) 


A.4 Declaration Tobe completed by all applicants 
(see Note 4) 
To the best of my knowledge and belief, the particulars elven inthis form and on any continuation 
sheets are correct and complete. | confirm that | am the Data User or Computer Bureau named in 


A.1, or that | am authorised to act on behalf of that Data User or Computer Bureau. 


Signature Date 


Name 


Position 


Send your application to: Office of the Data Protection Registrar, 
(see Note 5) Changes Section, Id House, 
Water Lane, Wilmslow, Cheshire, $K9 5AX 


See Notes 6-8 about confirmation of changes, and changes of name and address 


Notes: 


1. Write here the name and address of the Data User or Computer Bureau as currently entered in the Register. 


2. Write here the Registration numbers of Register entries to be altered. Note that any alterations requested on this form will be 
applied to al/ofthe Register entries listed here. Give details of alterations in Part B overleaf. 


3. Write here the Registration numbers of Register entries to be removed. 
4. Itis an offence knowingly or recklessly to furnish the Registrar with information which is false or misleading in any material respect. 
5. Thereis no fee for an Application for Alteration or Removal of a Register entry. 


6. Confirmation of the removal or alteration requested on this form will be sent by the Registrar to the Registered name and address 
giveninA.1 above. 


7. Ifthe alteration is to the Registered name and address, the confirmation will be sent to the new address. Changes of Contact name 
and address have no effect on the Register itself, but will be recorded for use by the Registrar and confirmed to the new address. 
Remember to indicate if a change of name or address affects the Subject Access addresses in a Register entry. 


8. Ifanewnameis that of a different legal person, this form should not be used and that person should apply to be registered 
separately using Form DPR.1. 


PartB 
Details of Alterations to Register Entries 


Please explain in your own words, and as clearly as possible, the nature of the alteration you wish to make. 
You should clearly indicate to which section of the Register entry the aiteration applies (see Notes 9-12 below) 


SSeS 


Now sign the Declaration at A.4 


Notes 

9. Hthe alteration is particularly complex, you may find it easier to submit a fresh Application for. ghee Form DPR.1 Part B. 

If you do this, you must clearly mark that form “Alteration Only” and attach it to this Form DPR.2. The Registrar reserves the right to ask 
applicants for alterations to use this method if the proposed alteration described above is unclear. : 


10. If youneed more space, you should attach one or more continuation sheets. If so, please write herethe total number of sheets; 


including this one. 
No. of sheets: [| 


11. Youare advised to keep a copy of your application. 

12. Inmaking any requests for alterations to a Register entry, you should refer to the booklet Notes —to help you apply for 
Registration, and where appropriate, to the Registrar's Guidelines. These, and copies of Forms DPR.1 and DPR.2, can be obtained 
from the Office of the Data Protection Registrar, Springfield House, Water Lane, Wilmslow, Cheshire, SK95AX, Telephone Wilmslow 
(0625) 535777. ty 


For use by Registrar only 


Form DPR.2 11/85 4 7 6 6 8 5 Printed for Her Majesty's Stationery Office by Harvest Printers Lid. 10/85 Dd. 8835859 


Data User Regional Data Protection 
Health Authority Officer 
Data Protection 
Steering Group 
Head of Department 


Authorised System User 


fig 2.1 Data Protection Organisation 
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Data Protection 
Coordinator 


May 29, 1987 


Chapter 3 | 
Ensuring Compliance within the NHS 


3.1 The Current Situation 

As a background to the revision of the CIT Guidelines a detailed questionnaire was 
devised to enable an assessment to be made of the basic level of compliance with the 
Data Protection Act 1984. The CIT Guidelines have been developed into an 
up-datable CIT Data Protection Handbook to avoid confusion with the Registrar's 
Guidelines. The questionnaire has been developed into a full scale Data Protection 
Compliance Checklist to enable Health Authorities verify their compliance with the 
Act while and the checklist from the original CIT Guidelines has been developed 
into more detailed advice on data security in this chapter. 


The full analysis of the responses to the questionnaire is provided in Appendix 3. 
However, there are a number of specific points that should be made about the 
present situation which should be disentangled from the detailed analysis:- 


1 Staffing and Professionalism 

At the relevant time the NHS was preoccupied with the implementation of the 
Griffiths and the Korner Reports. The effect of this was that, in the first place, the 
administrative structures were unstable because a large proportion of the relevant 
staff were in process of moving to other jobs or had just arrived from other jobs. 
Even where the structure was stable, the senior managers had not sorted out their 
priorities and policies and thus local initiative was often stalled. Secondly, the 
implementation of the Kérner Reports involved massive changes in the NHS 
Information Systems which required all the available staff to implement. Although 
these changes did not have the force of law behind them they had been working their 
way through the organisation for some time and had just reached the period of 
intensive activity. Furthermore, they involved changes that had generally been 
perceived as beneficial. Although the Data Protection Act 1984 is a major advance 
in raising the general level of professionalism in the computing activities that are 
now very widely spread across many staff and disciplines in the NHS, this 
understanding las not yet become as widespread as the computing itself. The 
current situation of widely dispersed computing activity is radically different from 
the environment of earlier years when computing was closely controlled by small 
groups of highly trained specialists. 


The questionnaire responses indicate that the staffing of Data Protection activities is 
poorly known or recorded but, also, that most Authorities are allocating insufficient 
staff, or importance, to enable the Act to be implemented adequately. 
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2 Development of Good Practice 

Some Authorities have obviously put a great deal of effort into drafting policy 
documents but the total effect is very variable. The availability of an adequate Code 
of Practice will save all the other Authorities from the effort of having to devise 
their own codes. 


3 Administrative Procedures 

Many issues in Data Protection require the establishment of specific procedures to 
ensure that appropriate action is taken in various circumstances. The first steps 
must inevitably be recognition that such procedures are required and that decisions 
have to be taken in advance about how the situations are to be handled. It is clear 
from the questionnaire responses that some necessary procedures do not yet exist in 
many Authorities and that they must now be established. The defence of having 
taken "such care as in all the circumstances was reasonably required" can only be. 
mounted if it is possible to supply the Court with admissible evidence that 
appropriate procedures were in place and were generally operating satisfactorily. 


4 Centre for Information Technology Checklist 

The CIT checklist from the previous Guidelines has as yet only been implemented in 
a fragmentary way. It includes too many general statements which require 
interpretation and it needs to be developed into a rather more specific and practical 
security guide which distinguishes the steps required in a computing environment, 
facilities required from systems suppliers, actions required from system managers 
and Data Custodians and finally action required from the individual Authorised 
Users. 


5 Registration Approach 

Most Authorities followed the CIT advice of using 3 entries [DPR1 Part A forms] 
but there were wide variations from a single entry approach up to 23 Part A forms 
and 40 Part B forms or 3 Part A forms and 200+ Part B forms. It must be expected 
that some of the more extreme approaches will turn out to be unwieldy in practice 
and will be re-registered as Subject Access and compliance issues begin to surface. 
However, theré should be few problems in rearranging an existing set of 
registrations into a more satisfactory format. 


The examination of documentation, procedures and security in this chapter is 
designed to rectify some of these deficiencies. 


2 Chapter 3 NHS Data Protection Handbook [version 3.0] May 29, 1987 


3.2 Compliance with the Eight Data Protection 


Principles 

The Registrar's Guideline 4 covers his approach to the Data Protection Principles 
and it forms the foundation of good practice in Data Protection. Each Authority 
should develop and implement effective policies on Data Protection. This can 
conveniently be handled with a relatively brief DATA PROTECTION POLICY 
statement that may be incorporated with all the other Policy Statements of the 
Authority. This statement can then be developed into a necessarily more lengthy 
CODE OF PRACTICE which sets out the detailed Authority-wide arrangements 
adopted for handling the Authority's computer systems and the Personal Data held 
in them, The operating instructions for each system then need to be supplemented 
with a USER MANUAL that gives the details of the Data Protection arrangements 
for handling that specific system and any special departures from or amplifications 
of the Code of Practice related to it. The relationship of these various documents to 
each other is indicated in fig 3.1. 


The development of a general CODE OF PRACTICE FOR THE NHS as a 
whole will obviously simplify a great deal of administration and save NHS 
manpower. This will be included as Chapter 6 of this Data Protection Handbook. 
Such a General Code of Practice would correspond to the expectations of the 
Registrar in promoting the development of Codes of Practice for organisations in 
the same sector of activity. In order to relate the Code of Practice to the Act it is 
recommended that they should be specifically related to the Eight Data Protection 
Principles. When the Authority authorises a system for processing Personal Data, it 
accepts the responsibility for ensuring that it complies with the Act and, in 
particular, for ensuring that it complies with the Data Protection Principles. 


The Registrar envisages the development of "Cross-Sectoral Guidelines” giving 
professional or technical advice on particular facets of Data Protection and of 
"Operational Procedures” relating to the work of specific groups of employees. 


Authorities should review their policies on security, data confidentiality and 
authorisation for access to the Personal Data held by the Authority. This can 
conveniently be done by the use of the DATA PROTECTION COMPLIANCE 


CHECKLIST from Appendix 4. 
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3.3 Data User's Checklist 

The Authority should consider the steps required to assure itself that compliance has 
been, and continues to be, achieved. Such steps should include the following items, 
remembering that a quick answer is not the important issue but rather that the 
Authority should have scrutinised the matter adequately, taken effective steps to see 
that the appropriate measures have been taken and routinely monitored the 
functioning of the administrative measures to ensure their effectiveness. 


a Data Protection Compliance 

Health Authorities should hold regular Data Protection Compliance Checks on the 
Authority's systems, using a suitable Compliance Checklist, and paying particular 
attention to data security and the more sensitive Personal Data. An attempt should be 
made to identify weaknesses in the physical security and control procedures and to 
monitor compliance with the Data Protection Principles. The need for the 
expenditure of additional resources should be governed by the sensitivity of the 
Personal Data. 


b= Specialist Data Protection Knowledge 

Health Authorities should ensure that Data Protection Co-ordinators keep abreast 
of developments in a fast moving technical, administrative and legal field by 
participating in Regional and National meetings aimed at sharing experiences of 
implementing the Act, developing improved ways of securing compliance with the 
Act and understanding the ways in which the Act is being interpreted by the 
Registrar and the courts. The assignment of someone to handle the Region-wide 
Data Protection liaison function is a good way of co-ordinating the Data Protection 
effort across a Region, stimulating the flow of information on a Region-wide basis 
and hence saving the manpower that would otherwise be required to think through 
each step in the programme of implementing the Act and maintaining compliance 
with it. Regional Data Protection Officers should establish effective links with the 
Office of the Data Protection Registrar, the NHS Centre for Information 
Technology and District Data Protection Co-ordinators. 


c Specialist Training of Departmental Managers 

Health Authorities should train Heads of Departments and Data Custodians in 
handling their responsibilities for ensuring compliance with the Act and ensuring 
that this training is maintained and developed where necessary. The NHS Training 
Authority/NCC Data Protection Resource Pack is a very good starting point for this 
training process. 


d Training of Users 

Health Authorities should train Authorised Users in the handling of specific systems 
and ensure that they have a basic understanding of the requirements of the Act. 
Care for security and the protection of Personal Information must be instilled at 
every level and unauthorised disclosure of Personal Data must be eliminated. All 
such users should read and sign a specific confidentiality undertaking which details 
the operative Policies, Code of Practice and User Manuals, or other Data Protection 


documents of the Authority. 
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e Staff Contracts 

Whatever the relative merits of the use of clauses in staff contracts, of specific 
material in job descriptions or of signed statements in staff files, Health Authorities 
take effective steps must be taken to ensure that staff understand what is expected of 
them. Staff must know that disciplinary steps will be taken for infringements of 
these arrangements and that these steps may result in dismissal for flagrant breaches 
of these instructions. In addition, they must realise that they may commit statutory 
offences and be sued personally for damages under the Data Protection Act 1984. 


f Supplier and Contractor Contracts 

Appropriate clauses are desirable in all contracts and vital in any contracts for the 
supply of computer hardware, software or any repair and maintenance services or 
for general [as opposed to medical] consultant contracts where the consultant may 
have access to any of the Authority's Personal Data. Health Authorities should 
require signed contracts with all computing contractors along the lines of the 
suggestions made in Annexe 2.4. 


g Staff Selection 
Health Authorities should ensure that staff selection procedures are adopted which:- 


1 Emphasise the need for all staff to handle Personal Data in a 
confidential manner 


2 Ensure that staff handling computer systems or Personal Data from 
such systems are specifically trained in and advised of the requirements of 
the Data Protection Act 1984 


All new staff appointment letters should refer to the implications of the Data 
Protection Act 1984 and staff induction courses should have a session dealing with 
the general requirements of the Act and the steps taken by the Authority to 
implement it. 


h Staff Awareness 

Health Authorities should ensure that staff are reminded of the requirements of the 
Act and the Authority by the liberal use of individual Staff notices [for instance in 
pay packets], departmental posters and'notices, stickers on computing equipment, 
computer output and filing cabinets. 


i Non-Authority Staff Arrangements 

Health Authorities should ensure that all staff using the Authority's Personal Data, 
whether working on Health Authority premises or not, comply with the same basic 
standards as the Authority's own staff. As indicated previously, proper agreements 
should be made as to which organisation is the Data User and, therefore, has control 
of the computer system, its security and the associated data usage. From that 
decision flows the registration entries and decisions about what movements of 
information count as disclosures within the meaning of the Act. 
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j Staff Advisory Service 

Health Authorities should set up clearly defined arrangements so that staff know 
where they can go to get advice on matters of confidentiality and about the 
requirements of the Data Protection Act 1984 


k System Selection Criteria 

As the requirements of the Act become clearer in practical terms, the Health 
Authorities should begin to lay down standards against which new systems will be 
judged from the point of view of the Data Protection needs for confidentiality and 
security procedures [as well as from the point of view of operational performance]. 
The self conscious development of these requirements will assist with the process of 
maintaining the security of the Authority's systems. 


1 The Need to Know Principle 

In implementing the various security systems and password procedures, Health 
Authorities should introduce mechanisms to ensure that staff generally only have 
access to the Personal Information they need to carrry out their own duties. They 
should not be given access to more detailed information than necessary. 


This is particularly relevant to professional computing staff or consultants who 
should not be given unauthorised or unnecessary access to Personal Data when 
sorting out technical problems on operational systems. Correspondingly, systems 
must not be demonstrated or used for training purposes with live Personal Data 
unless the disclosures involved would normally be permitted in the operational 
Situation and are necessary for the training. 
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3.4 Data User's Documentation 

The Authority must maintain sufficient documentation to ensure that it has 
implemented the Act adequately and that continuing compliance is achieved. The 
basic requirements for this purpose are as follows:- 


1 A Data Protection Policy 
This document describes, briefly, the Authority's general approach to the 
implementation of the Act 


2 A Data Protection Code of Practice 
This document gives a detailed description of the Authority's general procedure for 
handling Data Protection [items 1 & 2 may be combined] 


3 User Manuals for Each Computer System 

These manuals provide the detailed methods of operating the systems, including the 
way that the Data Protection Principles are applied in each system and the security 
measures taken to ensure the accuracy and integrity of the data base 


4 Data Protection Functions and Job Descriptions 

All the required Data Protection functions should be allocated to specific individuals 
and they should be included in appropriate job descriptions. These individuals must 
be given time to discharge their functions as specified. In particular, duties ascribed 
to Data Protection Co-ordinators, Data Custodians, and Regional Data Protection 
Officers should be suitably assigned. 


5 Contractual Arrangements 

Appropriate clauses, or alternative arrangements, are required to ensure that 
system users, staff generally, suppliers and contractors [especially suppliers of 
computer hardware, software and repair and maintenance services] are properly 
bound by the Authority's requirements in respect of the Data Protection Act 1984 


6 Register of Equipment 

An up-to-date register of equipment is the starting point for the control of data 
usage and it can only be maintained effectively if it includes the serial numbers of 
the equipment 


7 Register of Authorised Computer Systems 

Each computer system used by or on behalf of the Authority should be listed and 
authorised together with the names of the Data Custodians responsible for it and a 
list of Authorised Users. In addition, the register entries under which the system is 
registered must be recorded 


7 Chapter 3. NHS Data Protection Handbook [version 3.0] May 29, 1987 


8 Register of Data Usage [the Authority's Data Protection 
Registration] 

Each registration should be recorded and cross-referenced, both ways, with the 

Authorised Systems so that each register entry can be related directly to the 

computer systems [and departments and Data Custodians] involved and each 

Authorised System can be related to the Register entries under which it is 

authorised. 


9 The Data Protection and Complaints Log 

In view of the dispersed nature of the data usage in a Health Authority and the 
changes of staff likely to be encountered, it would be valuable to ensure that the 
main features of the Data Protection arrangements should be properly recorded for 
future reference, together with any complaints received regarding Data Protection 
and the actions taken in processing them. The objective of this Data Protection and 
Complaints Log is to ensure that the Health Authority maintains clear evidence of its 
efforts to implement the Act and to investigate any complaints related to issues 
caused by the Act. It is envisaged that this Log might be used in any court 
proceedings to establish the Authoritiy's policies, procedures and activities relating 
to the implementation of the Act. 


10 Subject Access and Exceptional Disclosure Log 

In order to monitor the arrival and processing of Subject Access Requests the 
Authority needs to keep a fully dated log of all requests and the actions taken in 
processing them. Completed copies of the form in Annexe 4.4 from chapter 4 will 
provide the basis of this Log. In addition, steps should be taken to record all 
exceptional requests for Personal Information and any exceptional disclosures made 
together with the reasons or basis for making them. As well as being a sensible 
precaution from the point of view of the Data Protection Act 1984, this approach is 
recommended in the wider context of Personal Information by the Kérner Report 
from the Confidentiality Working Group 1984 [para 3.22 p18]. 
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3.5 Data Security and Professionalism 

The checklist of security measures is one that will be continually developing in 
response to the spread of new equipment and the appearance of new threats to the 
security of data. No checklist can be complete but it can give a clear indication of 
the requirements that systems should meet. Furthermore, there will always be a 
balance between the measures that can be built into the computer systems or can be 
arranged by the central Computer Bureau and the operational procedures that 
individual systems managers and system users will need to take to ensure the 
relevant standards of security. 


No matter how powerful the security procedures that have been built into the 
operating system software or into the individual applications, inadequate attention 
from the system managers and the users will nullify the potential benefits that might 
be obtained. Correspondingly, Data Custodians must be aware of the strengths and 
weaknesses of the central facilities they are using and must make sure that any 
deficiencies arising from the use of older and less secure technology are 
compensated by effective local control procedures. Data security, like all other 
types of security, can only be achieved by constant vigilance from all concerned 
with the systems. It takes time, effort and resources and it is frequently 
inconvenient but there is no other way in which data security - and hence legal and 
reliable operating conditions - can be obtained. 


Greater professionalism on the part of everyone involved in the use of computer 
systems will incidentally lead to more accurate data, more reliable systems and less 
loss and inconvenience from missing or corrupt data. Such systems will be more 
relevant to the needs of those using them and they will save the NHS from 
potentially large claims for compensation to Data Subjects for damage and distress. 
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3.6 Categorising Personal Data 
In the interpretation of the Data Protection Principles in Schedule 1 Part I of the 
Act, the requirements of the Eighth Principle are described as follows:- 


"Regard shall be had ... 


a to the nature of the Personal Data and the harm that would result from 
such access, alteration, disclosure or destruction as are mentioned in this 
principle; and 


b to the place where the Personal data are stored, to security measures 
programmed into the relevant equipment and to measures taken for ensuring 
the reliability of staff having access to the data" 


Accordingly, the measures should be appropriate to the damage that such 
unauthorised events could cause to the Data Subject and thus open the Authority to 
Court actions for compensation for such damage and associated distress. Although 
there are many unforeseen ways in which apparently harmless information can 
prove damaging in the wrong hands it can be helpful to classify Personal Data and 
gear the security measures to this classification. This can be done as follows using 
three categories:- 


1 Registered Personal Data [R] 

This is the lowest classification of sensitivity of Personal Data which still 
comes within the requirements of the Act. Such information as lists of names, 
work addresses and work telephone numbers, as might often be pinned on to 
notice boards for easy reference, or reference numbers in an electronic mail 
system, would be the most obvious examples of low sensitivity information for 
which a relatively relaxed security approach might be acceptable. 


In addition, any publicly available or widely published information should 
normally be regarded as coming in this lowest category of Personal data. 


2 Confidential Personal Data [C] 

This is the "normal" classification of Personal Data that requires the full range 
of security measures. Some Personal Data in such systems will undoubtedly be 
potentially capable of being very damaging in adverse circumstances. The 
accidental loss, errors, mis-use or disclosure of particular items in these 
records could have quite profound consequences even though most of the items 
for most individuals might not have such serious results. 
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3 Secure Personal Data [S] 
The Act specifically allows the Secretary of State to provide additional 
safeguards for "Personal Data consisting of information as to:- 


(a) _ the racial origin of the Data Subject; 

(b) his political opinions or religious or other beliefs; 
(c) his physical or mental health or his sexual life; or 
(d) _ his criminal convictions" 


and hence these data obviously qualify for special care. In addition, the 
Registrar's Notes require that for the purpose of the "Provision of Health 
Care* P062" Personal Data held for:- 


"Genetic services 

Contraceptive services 

Infertility services 

Care/Treatment of persons suffering from:- 
- mental illness 
- addiction 
- sexually transmitted diseases" 


should be specifically recorded. These two categories provide a good basis for 
the classification of specially sensitive Personal Data in the Health 
environment. Systems which are mainly concerned with these sensitive 
Personal Data, as distinct from those that have some sensitive items in them, 
will require special care. Examples might be lists of AIDS patients, Child 
Abuse, Mental Handicap or Cancer Registers 


By using this three part classification of sensitivity it should be possible to relax the 


-tigour of the security procedures in areas where there is no serious risk and 
concentrate the vigour of the security effort where it will be most useful. 
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Jet Categorising the Environment 

The physical environment of the computing facilities must be the first 
consideration. Public areas of hospitals and clinics obviously require more 
stringent precautions than relatively inaccessible offices that are not open to the 
general public. Areas that are generally controlled by staff during the day 
obviously require different security from similar areas which are not routinely 
occupied or from the same areas while they are not used at night or during 
week-ends. This classification of the security risk should be used in conjunction 
with the classification of the sensitivity of the Personal Data accessible from the area 
in question. This approach is outlined below:- 


a Public Area Security 

Where possible no Secure Personal Data should be accessible from a public area and 
Confidential Personal Data should only be accessible from public areas where those 
specific Personal Data are required for operational purposes. Care should be taken 
to ensure that the System and User Manuals are not left around for casual inspection 
or to be stolen. System passwords should not be left in the area. Steps should be 
taken to ensure that Personal Data cannot be acquired simply by stealing the floppy 
discs or the complete computer with its hard disc. In such areas complete computer 
systems should be securely bolted down to a desk or some immovable object. The 
log-in procedures should automatically log-out anyone who has not been active on 
their terminal for a relatively short time, say, five minutes. Furthermore, it should 
not be possible for the terminal to be logged-in at the beginning of the day and left 
connected all day. Even if the terminal is in "continuous" use the system should 
require that the user provides a password at relatively frequent intervals, say, half 
to one hour intervals. 


b Night and Week-end Security 

Where possible no Confidential or Secure Personal Data should be accessible from 
such uncontrolled areas. If this is not possible care should be taken to ensure that 
System and User Manuals are not left around for casual inspection or to be stolen, 
nor should any system passwords be left in the area without being securely locked 
away. The area should be securely locked or controlled by entry cards which either 
log or prevent access at night and during weekends. Basic perimeter security steps 
such as locking windows should be enforced. Alarm systems or security patrols 
may be required depending on the risks involved. 


c Controlled Areas [normal daytime working areas] 

As far as possible Confidential and Secure Personal Data should not be accessible 
where there is no requirement for it in the registered purposes of the data systems. 
Secure and Confidential Personal Information in printed or microfilm or 
microfiche form should be locked away when not in use and it should generally only 
be accessible to those needing it to carry out their jobs. The disclosure of Personal 
Data arising from unauthorised inspection of computer terminals, the theft of 
printed output, microfilm or microfiche, computer equipment, computer readable 
media or passwords should be borne in mind when designing the security for each 


system. 
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Individuals who are not known within a department should be asked to identify 
themselves, and their authority for accessing Personal Data, before they are allowed 
access to computing facilities. Where the office arrangements do not ensure that 
such an outsider will be challenged automatically during a normal working day, 
such as when an office is isolated and infrequently used, additional security 
precautions should be taken regarding access to the area or to the equipment in 
order to prevent unauthorised access to Personal Data. 


d Computer Systems Areas 

Any significant computer system will hold a substantial volume of Confidential or 
Secure Personal Data to which access could be had by various means. There are 
many books on Computer System Security but Elbra (1986) and Abbott, Barber and 
Peel (1986 Section A.4.3 Site Preparation) provide a reasonable starting point. 
Generally the computer building should be controlled by a receptionist/security 
guard with card access to the more sensitive parts of the building which only 
permits individuals access to certain areas where they need access for their work. 
The use of security guards is now normal practice at night and weekends. 


As well as protection from unauthorised access and theft, care has to be taken 
against loss of information arising from fire, flood, loss of electricity supplies and 
the deliberate manipulation of the equipment by malicious individuals, whether staff 
or outsiders. Systems that can be accessed directly from the public switched 
telephone network should be treated with great care and generally should not 
contain any Confidential or Secure Personal Data. 
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3.8 System Security 

a Handling of Computer Output from Terminals, Printed Reports 
and Microfilm or Microfiche 

1 Requests for Personal Information, other than those under the Subject Access 

provisions of the Act, should always be checked as being:- . 


a required internally for the registered [Data Protection] purposes of the 
Health Authority; or 


b covered externally by the registered [Data Protection] Disclosures of 
the Health Authority; or 


c covered by a suitable non-Disclosure exemption. 


All requests that are not so covered should be refered back to the Data protection 
Co-ordinator. 


2 Even where the original Personal data is no longer held by the Health 
Authority on a computer system, computer output remains covered by the 
non-Disclosure provisions of the Data Protection Act 1984 although it is exempt 
from the Subject Access provisions 


b Operating Systems and Log-on Procedures 

1 Where possible the basic starting frame displayed on a terminal should give as 
few clues as possible to the specific operating system in use or to the applications 
that can be accessed from it. 


2 It could usefully carry a warning that "Personal Information is subject to the 
Data Protection Act 1984, and must be collected, processed and disclosed in 
accordance with the EIGHT DATA PROTECTION PRINCIPLES and the 
Authority's registrations under the Act". 


3 It might also indicate (incorrectly) that the terminal has been barred from 
access to any Confidential Personal Data and the user should consult the System 
Manager to obtain access again. 


4 The operating system should record, and have available for subsequent 
inspection, the date, time, terminal of all accesses, whether successful or not, and the 
application systems accessed by successful log-on attempts. 


5 A successful log-on should list the date, time and place of the last successful 
log-on under that identification (name, number, etc) and password together with the 
number of unsuccessful attempts to log-on to that identification (name, number) 
since the last successful log-on. 


6 The system should hold passwords in encrypted form so that they cannot be 


discovered simply by dumping part of the store. 
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7 If possible passwords should be machine generated in a fashion that allows the 
user to select from a small group of (say 10) possible passwords. The passwords 
should be at least six characters long, comprising either:- 


a two triplets of alpha or numeric characters in either order (like 
car registration numbers), or 


b pronounceable but non-English words 


8 The systems should enforce password changes, not allowing the immediate 
re-introduction of an existing password. With Secure Personal Data a monthly 
change is desirable while a quarterly change would be appropriate for Confidential 
Personal Data. 


9 Passwords should be defined/coded in such a way that they are not easily 
reproducible by chance or by inspired guessing. If machine generated passwords 
cannot be used, facilities should be available to enable the systems manager to 
inspect passwords (dissociated from identity numbers) and disallow those that are 
inadequate. This is obviously a hazardous facility but it might be handled more 
securely if it were done in retrospect so that passwords which were being changed 
were made available to the system manager for checking. 


10 In order to avoid disclosing existing passwords, a good system should allow 
the use of the same passwords by different individuals. 


11 An identification name/number and its associated password, with access to 
Confidential or Secure Personal Data, should be disabled if more than a specified 
number, say 3, access failures happen within a 24 hour period. 


12 Identification name/numbers and passwords should be capable of being 
restricted to particular terminals, locations or systems. 


13. The password should be required during the log-off procedure for 
Confidential and Secure Personal Data and preferably at intervals of not more than 
an hour during a period of continuous use. 


14 Systems should be automatically logged-off whenever the terminal is inactive 
for a predetermined period that can be set according to the sensitivity of the data in 
the system. 


15 Passwords should allow access to different types of user for different purposes 
for example, reading only, adding new data, amending existing data, deleting data. 
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16 Passwords should not be displayed on VDU screens, printed or sent by 
electronic mail 


Note 

In due course more reliable means will become available for authenticating the 
identity of an individual using fingerprints, voice prints, signature analysis. As yet 
such systems are not commercially available. 


c Networked Systems 

1 Where local systems are used as part of a network it is desirable that there 
should be two levels of password control, one to give access to the network and one 
for the local system, unless alternative and more secure facilities are available. 
(This feature is particularly important in selecting network systems). 


2 Where particularly Confidential or Secure Personal Data is to be transmitted 
over networks, consideration should be given to using data encryption and error 
correction techniques to guarantee the security of the data. This is particularly 
important in the case of public networks. 


3 Any general access to the Authority's systems, containing Confidential or 
Secure Personal Data, via a modem from the public switched telephone network is 
undesirable unless special techniques are adopted (eg answer back modems) to avoid 
unauthorised access to the data. Access to less confidential systems may sometimes 
be exploited to give unintended access to other systems unless steps are taken to 
make this impossible eg by avoiding the use of common passwords for systems of 
different sensitivity. 


d_ Application Design - Identifying Data Subjects 

1 The Data Subject's identity should be displayed on every screen used to update 
information concerning him, or her, and on every screen from which Personal 
Information may be extracted. 


2 As more patient information is recorded on computer systems effective 
identification facilities are essential for linking records. Consideration should be 
given to the use of check digits on all numeric patient identification numbers. 


3 Systems should be designed to ensure that identifying data is mandatory and 
records cannot be created without all mandatory data. Where some of these data are 
unobtainable, from say, an unconscious patient, the entry of question marks will 
alert everyone to the lack of data, the need for obtaining it as soon as possible, and 
the potential inadequacy of the identification. 


16 Chapter 3 NHS Data Protection Handbook [version 3.0] May 29, 1987 


4 In designing systems, consideration should be given to holding the personal 
identity and the sensitive information on separate magnetic media, or with 
non-obvious linking mechanisms or in encrypted format. This approach is vital for 
Secure Personal Data and would be good basic practice for the next generation of 
systems containing Confidential Personal Data. 


e Application Design - Data Accuracy 

1 _Inorder to improve the accuracy of the data, systems should be designed in 
such a way as to encourage the originators of data to enter it into the eompuler 
system and validate items that cannot be checked automatically. 


2 Validation checking should be automatic and carried out whenever possible. 
This checking should take place on individual fields and any relationships with other 
fields in the record (eg check that Mr or Master is male and that married persons are 
equal to or over 16 years, etc) 


3 For Secure Personal Data and for some Confidential financial Personal Data, it 
may be necessary to record all changes of data item by item, together with the 
identity of the Authorised User of the system and the date and time and possibly the 
location of the terminal. 


4 In general, systems should have a convenient method of providing an 
intelligible print out of a Data Subject's Personal Data for use in simplifying 
Subject Access requests. 


f Application Systems Design - Data Security 

1 Systems must have clearly documented methods of recovering data following 
hardware or software failure to ensure that there is no loss or corruption of 
information [this follows directly from the Eighth Data Protection Principle]. 


2 The user name/identification number should where possible be displayed on 
the VDU screen while it is in use. 


3 Confidential and Secure Personal Data should be labelled as such in all normal 
output from computer systems with an indication that its use and disclosure is 
subject to the Eight Data Protection Principles and the Data Protection Act 1984. 


Alternatively, suitable wording about the Act should be over-printed on the 
computer output. 


4 _ Each password should be allocated a set of data to which it entitles access. 


5 No display or print out of information should be possible without having been 
authorised by a relevant password. 
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6 Unauthorised printing of records should be prevented through properly 
designed control mechanisms - the encryption of sensitive records should be 
considered as an effective means of prevention. 


7 It should not be possible to produce printout without the use. of appropriate 
access controls and where possible all printout should include a record of the date, 
time, terminal and identity of the authorising individual as an integral part of the 
records. 

8 All output of Confidential or Secure Personal Data on paper or film should be 
clearly marked as such and suitable security procedures for handling these data 
should be included in the relevant User Manuals. 


9 There should be a mechanism for providing temporary limited access to parts 
of the system for a user who does not normally require access. 


g Computing Bureau Responsibilities 

Whether a Computing Centre is functioning as a Computer Bureau for another 
Health Authority or providing services for its own Authority, it must take 
responsibility for the security of the systems it runs and must be primarily 
responsible for the implementation of the Eighth Data Protection Principle. 
Responsibility must not be allowed to slip between the Computing Centre and its 
users. The following guidelines merely give a flavour of the good computing 
practice expected. 


1 In all operational systems the data must be secured by:- 
a regular dumping of the data 
b keeping a record of all changes of data 


c keeping separate backup copies in another location (not simply 
another room in the computer building) that is secure from theft, fire, 
flood. 


d archiving old data necessary for research and historical purposes (as 
necessary) 


2 Only sufficient backup copies of magnetic media should be made and kept to 
ensure the recovery of the system after a system crash in the most unfavourable 
circumstances. 


3 Suitable operating system and applications software should be utilised to 
ensure that the requirements of the Act are adequately covered. 


4 Unauthorised access to systems must not be possible via blank or ‘Mickey 
Mouse’ passwords, via the Users’ "help" services or via facilities provided for local 
or remote system support. 
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5 Illegal attempts to log into a system should be detectable, logged and 
appropriate action taken (eg lock keyboard and send security guard to location of 
terminal). Special software aids may be useful in restricting access to specific times 
and locations. 


6 — System logs should be monitored for unlikely times or locations at which the 
system was accessed and for suspicious sequences of log-in failures in order to 
detect unauthorised access. 


7 Full security measures should be implemented to prevent tampering with data 
and consideration should be given to methods of detecting illegal usage of the 
systems. 


8 Whenever possible all batch processes should be initiated via a transaction to 
which normal confidentiality rules can be applied. Where this is not possible, 
written requests should be obtained for all rans. Where systems are run routinely, a 
signature at intervals, rather than on each occasion, is sufficient. 


9 Output from the Computer Bureau must only be made available to an 
individual authorised to receive it and authenticated as authorised by the Computer 
Bureau. 


10 Output on paper or film from a Computer Bureau should be subject to the 
same rules of confidentiality as pertains to locally produced output (eg destruction, 
number of copies, etc) 


11 Between authorised runs batch process files should be stored in a library and 
access only given to them on production of the relevant transaction request or 
written authorisation. 


12 Personal Data that is neither required for system security nor for historic 
records should be deliberately erased, rather than being reassigned for reuse and 
overwriting. 


h Data Custodian Responsibilities 

1 All systems containing Personal Data must be adequately protected by 
adequate passwords or physical security. Generally, Registered Personal Data can 
be password protected in a microcomputer environment or else discs and output can 
be locked in a desk or filing cabinet. 


Full password protection is required for Confidential Personal Data and, generally, 
current microcomputer operating systems are inadequate to protect Secure Personal 
Data unless they are backed up by additional and effective physical security 
measures. 
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2 Passwords on systems containing Confidential and Secure Personal Data 
should be changed not less frequently than quarterly and monthly respectively, 
either by setting parameters in the system or by administrative procedures. 


3 The Data Custodian should hold copies of the Authority's registrations under 
which the system is being used and he or she must ensure that the usage of the system 
complies with those registrations. 


4 The Data Custodian for each system should maintain an up-to-date list of 
Authorised Users. 


5 The Data Custodian should ensure that Authorised Users are trained in the 
procedures described in the User Manual for using the system and are aware of the 
sensitivity of the Personal Data to which they have access and of the implications of 
the Data Protection Act 1984. They must understand the Authority's registrations 
for the systems to which they have access, and the Authority's Policy and Code of 
Practice on Data Protection. 


6 The Data Custodian should de-activate passwords belonging to staff changing 
jobs within the Authority, and especially to those leaving the Authority's 
employment. This is essential when staff have been disciplined or dismissed. 


7 The use of general passwords should be avoided and passwords should only be 
allocated to individuals. 


8 The passwords should give the lowest level of access to the systems compatible 
with enabling the individuals to do their job. If possible they should be restricted to 
relevant systems, terminals or times. 


9 The integrity of the data must be maintained by appropriate operational 
security procedures defined in the System Manual and these procedures should be 
confirmed to be functioning and effective by the Data Custodian. 


10 The ability to recreate records following a system crash should be 
demonstrable and tested at intervals. 


11 All users should be properly trained in the use of a system before being 
allowed to amend Personal Data. 


12 No demonstration database should contain real Personal Data and no training 
should take place using Personal Data to which an individual does not have access in 
his or her normal work. 


13 Personal Data that is neither required for system security nor for historic 
records should be deliberately erased, rather than being reassigned for reuse and 
overwriting. 
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14. All systems containing Confidential or Secure Personal Data should be 
protected by a time out mechanism which automatically logs out the terminal if it 
has not been used for a set period, compatible with normal use. 


15 Contractual, or at least written, assurances should be obtained from equipment 
or software maintenance organisations regarding the confidentiality of Personal 
Data disclosed while rectifying system faults. An appropriate disclosure should be 
included in the Data User's registration where necessary and the maintenance 
organisation should be registered as a Computer Bureau under the Act. This 
requirement should include Regional Computer Centres supplying Computer 
Bureaux services to other Health Authorities. This requirement includes access to 
Personal Data whether on the Data User's premises or at the maintenance 
organisation's premises if equipment has to be removed for testing or repair. 


16 Administrative procedures should be introduced to prevent unnecessary or 
unlawful photocopying of confidential records. 


17 In general, Confidential or Secure Personal Data whether in printed or 
computer readable form, should be kept under lock away when not actually being 
used. 


18 Copies of Secure Personal Data should be numbered and their usage carefully 
controlled and monitored. 


19 Personal Data should be made available at different levels to different types of 
user and for appropriate purposes ensuring that the user has access to no higher 
level of activity and to no more Personal Data than his or her job requires. 


20 All unwanted printout, both of paper and film, should be collected and 
destroyed by secure and approved methods (eg incineration, shredding). 


21 The volume of information held on microfilm or microfiche records is 
substantial and secure means should be devised for the production, storage and use 
of such records. These records can easily be stolen and read in the local library, if 
no other readers are readily available. Such information banks are very vulnerable 
and they require very special care if the information is to be kept secure. 


22 Outside or inhouse service organisations should not be allowed to specify 
passwords for use on Authority systems as they tend to make multiple use of the 
same passwords. If such a password were discovered on a less sensitive system it 
might then provide access to some more sensitive system. Alternatively, a password 
can be provided temporarily and disabled immediately afterwards. 


23 All unused passwords should be disabled 
24 The same password should not be used on very sensitive systems as well as on 


minor and relatively insecure systems. 
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i Authorised Users' Responsibilities 
1 All Authorised Users of the Authority's Information systems should be aware 


of:- 


a __ the confidential nature of this post. Disclosures of confidential information or 
disclosures of any data of a personal nature can result in prosecution for an offence 
for civil damages under the Data Protection Act 1984 or an action for civil damages 
under the same Act in addition to any disciplinary action taken by the Authority 
which might include dismissal. 


b __ their responsibilities under the Data Protection Act 1984 


¢ the Authority's Policy, Code of Practice and User Manuals concerning Data 
Protection, Data Security and Confidentiality 


2 Only listed Authorised Users, or Word Processing and Electronic Mail 
Systems Users, may use the Authority's computer systems for processing Personal 
Data. Authorised Users should have access to copies of the Authority's relevant 
registrations under which they are using the data and be satisfied their usage of the 
systems is covered by these registrations. 


3 The local knowledge necessary for using systems should not be left in an 
obvious place beside the terminals outside of normal working hours, unless securely 
locked away. 


4 Passwords should be adequate to prevent unauthorised access, should not be 
written down in obvious places, or attached to terminals. If necessary, they should 
be securely locked away in a sealed envelope to which access can be detected. They 
should never be disclosed, except as directed by the Data Custodian, stored in other 
computer files or sent by electronic mail and they should be changed regularly, 
unless they have been discovered in which case they should be changed immediately. 


5 Copies of Personal Data obtained by using a microcomputer as a system 
terminal or by down loading data to a microcomputer should be protected with 
security measures as stringent as those built into the original system. 


6 All Personal Data to which the Authorised User has access must be treated 
confidentially and should not revealed to anyone who does not require to know it 
for the purposes of their work with the Health Authority. 


7 All Confidential and Secure Personal Data on paper, film or in computer 
readable form should be securely locked away when it is not in use. 


8 Copies of Confidential or Secure Personal Data, whether on paper, film or in 
computer readable form, must be destroyed or erased securely when no longer 
required. 
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9 Users should check when they log into a system that the computer record of the 
last access into their password corresponds to their own memory of that event and 
that where a record of access failures is given, this too is reasonable by comparison 
with their own knowledge. Any discrepancies should be reported immediately to 
the Data Custodian and the password should be changed and the system checked for 
other irregularities. Password stealing programs can simulate the log in sequence 
and lead to an apparent log in failure, not to system access but they cannot increase 
the log in failure count. 


10 Terminals should not be left unattended when “logged in" to a computer 
system. If the system is not in constant use the user should "log off”. 


11 Personal Data must not be disclosed to anyone not covered by the Authority's 
registrations. Any such requests must be referred directly to the Data Custodian. 


12 Deliberate unauthorised access to copying, alteration or interference with 
Personal Data or computer programs should not be allowed. 


13 Persons leaving the employment of the Authority must return all identity 
cards, manuals and other property belonging to the Authority on their last working 
day and their passwords must be invalidated. 


j. Word Processing and Electronic Mail System Users 

The interpretation of the Data Protection Act 1984 is not particularly clear in 
relation to Word Processing Systems. There are many such systems in use within 
the NHS. The data held on them, and on Electronic Mail systems, may contain 
general text which either does not refer to individuals, and is therefore outside the 
scope of the Act, or they may contain information about individuals which does 
come within the Act. Such information can cover a wide range of sensitivity. It is 
therefore appropriate to treat Word Processing and Electronic Mail Users as a 
separate category of computer system users and that a separate Register entry 
should cover their usage - usually the Data Subject's are "Correspondents and 
Enquirers S024". In general, no other Data Subjects should be allowed to emerge. 


If the Personal Information, such as a reference relating to an individual who is not 
a correspondent, is held on a Word Processing system, it will only be exempt from 
the Subject Access provisions of the Act if:- 


a The reference is only be edited until it is finalised for its current 
purpose, once finalised it may be printed again but it must not be re-edited for 
later use. 


b It must not be searched for any specific word or name in the text (other 
than for a correspondent who is already a Data Subject but who is not the 
subject of the reference). 
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Cc Several copies of the printed reference may be stored in a manual file 
for subsequent manual editing, and possibly re-input to the word processor, 
but the electronic copy of the reference must be erased from the word 
processor storage media as soon as the letter and the reference has been posted. 


d In order to demonstrate compliance with the exemption from the Act, it 
is desirable to categorise the work on the word processor and establish 
well-defined life cycles for each category of work such as correspondence, 
committee minutes, reports and papers. 


Any references, lists of papers including authors names, curriculum vitae and any 
other groups of individuals can give rise to additional Data Subjects unless care is 
taken to ensure that they are not referenced by reference to these individuals. If this 
were to happen the Authority's registrations would need to be amended and the 
additional Data Subjects referenced to allow for possible Subject Access. 


1 All Word Processing and Electronic Mail System Users should be aware of:- 


a __ the confidential nature of this activity. Disclosures of confidential information 
or disclosures of any data of a personal nature can result in prosecution for an 
offence for civil damages under the Data Protection Act 1984 or an action for civil 
damages under the same Act in addition to any disciplinary action taken by the 
Authority which might include dismissal. 


b _ their responsibilities under the Data Protection Act 1984 


c the Authority's Policy concerning Word Processing and Electronic Mail 
Systems. : 


2 Only listed Word Processing and Electronic Mail Systems Users [or 
Authorised Users] may use the Authority's word processing and electronic mail 
systems for processing Personal Data. They should have access to copies of the 
Authority's relevant registrations and be satisfied their usage of the systems is 
covered by these registrations. 


3 No additional, unregistered, Data Subjects must be allowed to emerge during 
their use of the system. 


4 The local knowledge necessary for using systems should not be left in an 


obvious place beside the terminals outside of normal working hours, unless securely 
locked away. 


5 Where passwords are used they should be adequate to prevent unauthorised 
access and should not be written down in obvious places, or attached to terminals. 
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6 All Personal Data should be treated confidentially and not revealed to anyone 
who does not require to know it for the purposes of their work with the Health 
Authority. 


7 ~ All Personal Data on paper, film or in computer readable form should be 
locked away when it is not in use and destroyed or erased when no longer required. 


8 All of the eight principles of the Data Protection Act 1984 apply to Word 
Processing and Electronic Mail systems. Therefore it is essential that ali data are 
kept secure, and not disclosed except as registered. 
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Annexe 3.1 - Authorised User Compliance Form 


Data Protection Act 1984 
Health Authority 


Name 


Department 


1 [have read the Registrar's Guidelines explaining the Data Protection Act 1984 
2 Ihave read and understood the responsibilities of Authorised Users in the 


handling of the Health Authority's computer systems which are outlined 
overleaf. 


signed 
date 
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Annexe 3.2 - Word Processing and Electronic Mail System User 
Compliance Form 


Data Protection Act 1984 
Health Authority 


Name 


Department 


I have read and understood the responsibilities of Word Processing and Electronic 
Mail System Users in the handling of the Health Authority's computer systems 
which are outlined overleaf. 


signed 
date 


27. Chapter 3 NHS Data Protection Handbook [version 3.0] May 29, 1987 


Data Protectlon 
Act 1984 


(oe 


Registration of 
Data Usage Advice 


Register of 
Equipment 
Register of 
Systems 
Data Protection 
& Complaints Log 


Subject Access 
& Disclosure Log 


Code of 
Practice 


NHS CIT 
Advice 


fig 3.1 Data Protection Documentation 
for a Health Authority 
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Chapter 4 


Subject Access 
The Provision of Copies of Personal Information for 
Individuals 


4.1 Introduction 

The Data Protection Act, 1984, gives individuals a series of rights which have been 
summarised in the Data Protection Registar's Guideline No 5 on Individuals Rights. 
The most fundamental of these rights is that of access to a copy of any Personal Data 
held on him, or her, by a specific Data User. (This is usually referred to as a Subject 
Access request). In addition, there are rights to compensation for inaccuracy of 
Personal Data, loss of Personal Data or unauthorised disclosure of Personal Data. 
Furthermore, the Data Subject may apply to a court for an order that inaccurate 
data should be corrected or erased, or he, or she, may complain to the Data 
Protection Registrar if there are grounds for believing that a Data User has 
breached any of the Data Protection Principles or any provisions of the Data 
Protection Act 1984. The handling of court actions is a matter for later discussion 
but the concern of this chapter is to ensure that the Data User understands the 
requirements of the law in giving individuals copies of their Personal Data. 


The basic rules for handling Subject Access are laid down in Section 21 of the Act 
but they may be modified by any of the Orders under the Data Protection Act 1984 
that may be in force. The core of this section is that 


"an individual shall be entitled - 


a __ to be informed by any Data User whether the data held by him includes 
Personal Data of which that individual is the Data Subject, and 


b _ to be supplied by any Data user with a copy of the information constituting any 
such personal Data held by him; 


and where any of the information referred to in paragraph (b) above is expressed in 
terms which are not intelligible without explanation the information shall be 
accompanied by an explanation of those terms" [Act Section 21(1)]. 


The Data User must comply with the request within 40 days (elapsed time not 
working days) of the time at which he has a valid, written request, together with a 
fee, containing sufficient detail for the Data User to locate the Personal Data 
concerned. 
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The information supplied should be that Personal Data held at the time of the 
request or at any other convenient time during the period of 40 days, providing that 
no amendment or deletion of that Personal Data takes place that would not have 
occurred if there had been no Subject Access request [Act Section 21 (6-7)]. 


According to the type of system there may well be periods within the processing 
cycle when all the data about an individual are brought together in a batch 
processing run to update a main record. During, or immediately after such a main 
run, might be a particularly good time to handle Subject Access requests providing 
the run will take place early enough in the 40 day period. 


The general process of handling Subject Access requests has been outlined in the 
flow chart figure 4.1 and discussed in section 4.4. Since some of the procedures can 
become very complicated the chart has been kept as’simple as possible and the 
detailed discussions of particular issues have been included in the text in section 4.3 
just before the discussion of the chart. The special arrangements for handling access 
to Personal Health Data are described separately in section 4.5 while the basic 
organisational arrangements for setting up the systems for handling Subject Access 
are addressed below. 
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4.2 Organisational Arrangements for Handling 


Subject Access 

It is important to set up a satisfactory organisation within each Health Authority to 
carry out the necessary activities. In the various trials it has proved much more 
difficult than anticipated to secure the active collaboration and support of the users 
of the various computer systems. A large number of computer systems are covered 
by most entries in the Data Protection Register and confidential information is 
normally contained within an appropriate section of each department. Good 
contacts and confidence must be established to make the necessary Data Protection 
arrangements work smoothly. 


In order to have things working satisfactorily for 11 November 1987 it will be 
important to raise the awareness of all Data Custodians and Heads of Departments of 
their legal responsibilities and of the requirements of the Health Authority. The 
best approach would appear to be as follows:- 


a Organise a Seminar for Data Custodians/Heads of Departments 
This seminar should be a cross between an ordinary working meeting and a Subject 
Access seminar, the precise approach depends on local requirements. During the 
seminar it is important that a clear understanding should be achieved on the 
following matters:- 


1 The legal responsibilities of the Authority as the registered Data User 


2 The complexities inherent in the legal requirements for handling 
Subject Access requests [Subject Access is not an optional 
matter that can be done at the end of the day if there is time] 


3 The need for Data Custodians to cooperate quickly in providing copies 
of all relevant Personal Data when requested 


4 The need for all holdings of Personal Data to be examined in detail for 
difficulties that may arise in handling Subject Access requests 


5 The timetable required to enable Subject Access requests to be handled 
correctly by 11 November 1987. 


b Conduct Detailed Interviews with all Data Custodians/Heads of 

Department 

These interviews should concentrate on the difficulties that will be faced by each 

Data Custodian and ensure that any detailed problems in handling Subject Access 

requests from the data holding overseen by that Data Custodian are brought to light. 

If problems of access to the data arise then this must be taken up straightaway with 
’ the Head of Department. 
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The specific areas for the examination of possible difficulties are as follows:- 
1 Locating all copies of Personal Data 
2 Obtaining all copies of Personal Data 
3 De-coding Personal Data where required 
4 


Deleting names of other individuals amongst the Data Subject's 
Personal Data where appropriate 


5 Handling problems arising from the possible oblique identification of 
third parties 


6 Handling very sensitive Personal Data 


7 Providing the Personal Data within the required time [20 days to allow 
time for handling all the associated administration] 


The particular issues that will be most important in each case will vary with the 
systems overseen by the particular Data Custodian, the geographic spread and extent 
of the data holding. 


c Establish the Programming Requirements 

In many cases there will be no need for any programming effort to handle Subject 
Access requests but at the other extreme there will undoubtedly be some systems 
where the required Personal Data will be difficult to obtain or very hard and time 
consuming to decipher. In these cases, some programming will be required but the 
urgency will depend on the volume of Subject Access requests. 


cl Staff 

Amongst these cases it may well be considered that the most satisfactory way of 
handling the main Personnel systems will by providing a routine yearly printout 
for staff of their Personal Data rather like the yearly P60 output concerning their 
pay, deductions and tax. Such an approach does not prevent anyone from initiating 
Subject Access requests but it should considerably reduce the volume of requests 
from staff by providing everyone with a free copy of the most important 
information held in their records. It should, also, assist in ensuring that the records 
are kept accurate and up-to-date. Such an approach is likely to require special 
programming in order to provide an intelligible record for staff and to handle the 
volume of records that would have to be printed. 


c2 Patients 

Currently no-one knows how large the volume of requests for Personal Health Data 
will be. The fee of £10 may reduce frivolous requests but should not deter anyone 
with a serious interest in obtaining copies of their Personal Health Data. 

c3 Resources 
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aa? 


Each Health Authority will have to judge what volume of requests it is likely to 
receive when deciding on the staff and resources to allocate. Whatever decisions are 
made initially, all requests must be processed in the 40 day period, even if the 
processing is rather inefficient. Clearly the staffing aspect of Subject Access must 
be kept under close review, neither allocating excessive resources nor failing to 
handle the Authority's legal responsibilities. This use of resources will be most 
efficiently achieved if the Data Protection Co-ordinators are able to work to a 
carefully organised scheme rather than being faced with a crash programme 
because the requirements have not been properly planned. 


d= Establish a Data Protection Office 

All Health Authorities must ensure staff know where the Data Protection Office is 
located and all enquiries should be directed to that office, which has access to 
specialist Data Protection advice. Furthermore, it should function effectively, 
irrespective of illness, staff holidays and other urgent Health Authority activities, as 
otherwise the allowed period for-handling Subject Access requests will be likely to 
be exceeded. All correspondence and documents should be date stamped and filed 
for future reference and the Authority's standing orders for handling finance must 
be followed. 


e Ensure that All Staff and Managers Know Where to Direct Subject 
Access Requests 

The Health Authority has listed the address(es) for handling Subject Access requests 
in its registration forms and these addresses appear on the Data Protection Register. 
However, valid Subject Access requests may be delivered or handed in anywhere 
within the organisation, not simply at the designated address(es) in the Register. It 
is important, therefore, that everyone dealing with the public should be aware of 
where to direct any enquiry concerned with Data Protection that may turn out to be 
a Subject Access request. A suitable circular to Heads of Department and Staff 
should cover this requirement but the message must be reinforced from time to 
time. 


f Establish a Secure Means of Holding Confidential Information 

In order to handle confidential information it is obviously necessary that Data 
Protection Co-ordinators should have a secure lockable safe or cabinet in which to 
keep the Personal Data while the requests are being processed. This is an essential 
pre-requisite for receiving copies of Personal Data from Data Custodians. 
Confidential and Secure Personal Data should be securely locked away except when 
in active use and in the custody of the Data Protection Co-ordinator or his/her staff. 
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g Design and Organise the System for Handling the Paper Work of 
Subject Access 

In order to make the paperwork effective the forms necessary for handling Subject 

Access should be designed and copies obtained as soon as possible [it is hoped that 

this process will be simplified by the suggestions in this Data Protection Handbook]. 

Everyone involved should become familiar with the actions required in handling 

requests. 


Some distinctive labels or identification markers are definitely required if these 
requests are not to become lost amongst the large volume of paper work flowing in 
the Authority's communications channels. 


h_ Testing the System Before 11 November 1987 

The approach being used should be tested as soon as possible and certainly well 
before 11 November 1987 if there is to be any hope that it will be operational by 
that time. The Data Protection Co-ordinator should have tested his, or her, ability 
to obtain copies of Personal Data from all the Authority's data systems in a form 
that can be used as a basis for handling Subject Access requests and within a 
timescale that allows the Authority to discharge its responsibilities under the Act. 
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4.3 Discussion of Some Key Issues 

a _ Requests for Information 

A large variety of requests for information arrive at any Health Authority and steps 
have to be taken to ensure that they are directed into the appropriate channels. It is 
important, therefore, to elucidate the nature of each request so that it may be tackled 
correctly. Some possibilities for confusion are indicated below:- 


al Requests from Inside the Authority 

Requests for information for the Authority's own activities should all have been 
registered under the Data Protection Act 1984. The procedures for such requests 
are discussed in chapter 5. They are not governed by the Subject Access regulations 
but it is important to keep a check on them to make sure that any new data usage is 
registered before it occurs. 


a2 Requests from Outside the Authority 

Requests from outside the Authority may involve disclosures of information that 
may, or may not, be allowable under the current set of registration documents or 
else they may be Subject Access requests. The former will, also, be treated in a 
chapter 5 but the latter form the basis of this discussion. 


a3 Subject Access Requests 

Subject Access requests will not always be made by the Data Subject themselves and 
the real basis of the request may not be apparent initially. It is, therefore, 
important that the fundamental nature of any request should be established right at 
the start. 


Where information is normally provided to an individual about his, or her, own 
affairs, these channels can continue to operate in the same way provided that 
satisfactory steps are taken to ensure that the identity of the individual requesting his 
information is clearly established [having regard to the sensitivity of the Personal 
Information involved]. Furthermore, there is no necessity for the Authority to 
charge for such services - particularly where it is provided as a means of keeping its 
records up-to-date and accurate or where it might be thought to be good practice in 
its relations with its staff, patients or customers. However, such informal 
arrangements may, or may not, provide the Data Subject with all his Personal Data 
under any particular register entry and they do not affect his right to initiate the full 
Subject Access procedure. Indeed, such requests should normally be treated as 
Subject Access requests except where the individual indicates that he is satisfied with 
the informal arrangement and does not wish to pursue the formal approach. 


While making arrangements for handling Subject Access each Health Authority is 
advised to review its policies on the release of Personal Information to those who 
are the subject of such information. In general, the Data Protection Principles 
would encourage Data Users to provide Data Subjects with copies of their own 
Personal Information in order to ensure that it is accurate and up to date, thus 
improving the quality of their records. 
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While the Act encourages the provision of copies of Personal Data to Data Subjects, 
the careless, inappropriate, or unauthorised disclosure of Personal Data to other 
persons could render the organisation and the individual liable to civil or criminal 
action. 


b = Identification of Individuals 

The Registrar's Guideline 5 on "Individuals Rights” pp 8-10 outlines his general 
approach to the problem of authentication of the identity of an individual making a 
request. The information required to establish identity should be consistent with 
that required by the Health Authority in other comparable activities. 


The Registrar suggests that:- 


“If the information held is not very sensitive and the reply is to be sent to an address 
known to the Data User to be that of the individual, the usual signature of the 
individual should be sufficient proof of identity. If the information is more 
sensitive - so that its accidental disclosure to an individual impersonating the Data 
Subject would be likely to cause damage or distress to the real Data Subject - the 
Data User might reasonably require better proof. Possible methods of checking 
identity in these cases include 


- asking the individual to give information which, if Personal Data are held 
about him, will have been recorded by the Data User and which he might be 
expected to know if he is who he claims to be. For example, if the Personal 
Data is contained in a personnel record, it would be reasonable to ask the 
individual to supply his date of birth and National Insurance number 


- asking the individual to have his signature witnessed by another person aged 
over 18 years who is not a relative. The witness could be required to provide 
his full name and current address and to certify that, to the best of his belief, 
the applicant is who he claims to be 


- the applicant might be asked to produce a document which could be expected to 
be in his possession - either a communication from the Data User or an official 
document such as a driving licence or benefit book". 


There are considerable advantages in following a counter signature approach and it 
is recommended that the actual Subject Access form should always:- 


1 scarry a warning that an applicant would be committing a criminal offence if 
he, or she, makes any untrue statements in order to obtain information to 
which he, or she, is not entitled 


2 require a third person to witness the signature, to certify that they know the 
individual and that he, or she, is who he, or she, purports to be. [There is no 
requirement for this person to either see the contents of the rest of the form or 
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to give any assurance that the other particulars supplied are correct]. 


3 The counter signature should be checked whenever there is any doubt and a 
random number of additional signatures should be checked to ensure that this 
approach is secure. 


Although the Data User cannot require a Data Subject to use such a particular 
Subject Access form, the form itself gives a clear indication of the sort of evidence 
of identity required and of the seriousness with which the process of identification 
of individuals is taken. 


The problem of authenticating patients is likely to be more difficult than that of 
identifying staff as they may wish to make a Subject Access request long after the 
individuals concerned with their care have left or moved elsewhere. Further, there 
is no really good way of deciding what Personal Data may be specially sensitive in a 
particular situation and hence all Personal Data should be treated with care. 


In the case of staff, it is usually fairly easy to find a manager or a long standing 
colleague who can vouch for the identity of the individual. The approach taken in 
the design of the Subject Access request form is to obtain the signature of someone 
who can support the identification of the Data Subject. 


Where there is insufficient evidence to authenticate the Data Subject, the Data User 
must ask the Data Subject for such evidence as he may reasonably require for this 
purpose. It is not enough to wait for evidence to arrive, it must be actively 
requested from the Data Subject. 


In case of fraud the Registrar suggests that:- 


"If there are genuine reasons for suspecting that an individual has improperly made 
a subject access request in the name of another, the Data User may wish to report the 
matter to the Registrar or the police”. 


c Establishment of Authority to Obtain Personal Information 

The authority for obtaining Personal Data on behalf of someone else is a complex 
matter but it needs to be taken seriously because the disclosure of Personal 
Information that causes damage and distress to a Data Subject can give rise to civil 
proceedings for compensation. In general, a simple consent form signed by the 
Data Subject and witnessed by a non-involved third party would normally be 
sufficient but the Health Authority should seek to establish the authority of the 
applicant to the level appropriate to the sensitivity of the Personal Data concerned - 
bearing in mind the fact that sometimes it is difficult for the Data User to be aware 
of how sensitive a seemingly harmless piece of Personal Information might be. 
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Although this authority may be self evident in many cases, the onus for proving the 
authority rests essentially with the applicant but the Health Authority must make 
appropriate requests for the information needed and should handle these enquiries 
carefully and sensitively. 


An adult may readily arrange for someone else to act on his, or her, behalf for 
simple convenience. A variety of individuals may be acting on behalf of a child and 
someone may be acting on behalf of a mentally incapable individual under a Section 
21(9) Order. The Authority may arrange to send the Subject Access Information to 
the applicant or the Data Subject as appropriate. 


d= Details Required for Locating Personal Data 

The key information in locating Personal Data will normally relate to the Data 
Subject's relationships and interactions with the Health Authority. A properly filled 
in Subject Access request form should normally allow the Authority to locate the 
relevant information, whether the computer system is a major central system or a 
departmental microcomputer. 


Obviously, the more precision and the more detail that the Data Subject can give, the 
easier the process of location may become as, for instance, a precise date may allow 
a direct look up process, rather than a search, and this may be important during the 
initial period when most computer systems have not been designed to allow a quick 
response to Subject Access requests. 


However, this process must not be overdone to the extent that Data Subjects are 
being asked for excessive detail beyond that strictly necessary for locating the 
information requested. 


Even if no further details are forthcoming, the Data Protection Co-ordinator should 
review the situation to see whether he can, nevertheless, handle the request. If that 
is possible, he must do so, however inconvenient it may be. 


e Use of Forms 

Although it is not permissible for a Data User to insist on the Data Subject using a 
specific form for making a request, the design of a suitable form enables the Data 
User to think through all the issues relating to the handling of Subject Access 
requests. Furthermore, it gives the Data Subject a reasonably clear idea of the 
information normally required by the Health Authority to process the request. A 
properly completed form should satisfy the Authority's information needs and 
enable the 40 days period allowed for Subject Access to start immediately. A 
suitable form is attached as Annexe 4.3, but some modification may be necessary to 
fit local requirements. 


f Requests By or For Children 

The position of children, and the rights of parents under the Data Protection Act 
1984, is extremely complex. Legal advice is being sought as a matter of urgency 
and Health Authorities will be notified as soon as this is available. 
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g The Extent of Personal Information 

The actual extent of the Personal Data of the Data Subject should be examined. 
Modern computing systems tend towards providing integrated systems in which 
most, or even all, data can be inter-related in large databases rather than in 
relatively circumscribed physical records. Even where well-defined records are 
processed these tend to be large ones which include sub-records relating to different 
Data Subjects. The Registrar's advice in Guideline 5 [p 13] is as follows:- 


"The Personal Data held by the Data User may include information which identifies 
another individual as well as the Data Subject - for example a relative or associate of 
the Data Subject or a person who has given information to the Data User about the 
Data Subject. 


In replying to a Subject Access request the Data User need not disclose the 
information unless the other individual has consented to the disclosure. But the Data 
User must still give as much information as possible without revealing the other 
individual's identity. This may involve editing the information to remove the names 
or other identifying details. Information should not be withheld under this 
provision merely because the Data User suspects that the Data Subject may be able to 
guess the other individual's identity. The provision only applies where anyone 
lacking the Data Subject's special knowledge could reasonably be expected to 
identify the other individual from the information..... 


.... Fhe Data User should edit out the minimum amount of information necessary to 
conceal the other individual's identity. For example, a record that the Data Subject 
‘was recommended to us by Mr John Smith’ should not be edited out completely but 
should be revealed as 'was recommended to us by Mr X". If there is more than one 
other individual the names removed should be distinguished by using different 
letters. 


The Data User is not obliged to take active steps to seek the other individual's 
consent although, of course, the Data User may wish to do this." 


This approach of "objective identification" clearly allows a Data Subject to identify 
individuals obliquely because he, or she, will generally have special knowledge 
which when added to the computer record will complete the process of 
identification. Wherever there is some relationship between two individuals there is 
a potential problem from such oblique disclosure. In many cases it will not matter 
because the details are already known to the Data Subject, or because the Data 
Subject supplied the information in the first place (eg next of kin), or because the 
information is of low sensitivity. However, there are important problems to be 
resolved in the matter of Personal Data and it is not yet clear where one individual's 
Personal Data ends and another's Personal Data begins. 


It is generally desirable for the Authority to supply the names of its own Health 
Professionals within the context of a Subject Access request but this is a matter for 
Authority policy setting. 
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h Time Allowed for Response 

The time allowed for responding to a valid Subject Access request is 40 days [Act 
21(6)]. This time starts from the time at which the Data User has a valid request. 

A valid request must be:- 


1 written or typed 


2 accompanied by a £10 fee [or such lesser fee as is acceptable to the Data 
User] 
It must include:- 


3 sufficient information to Identify the Data Subject 
4 sufficient information to locate the Personal Data requested 
In addition, it may need to include:- 


5 sufficient information to identify someone applying for access to 
Personal Data on behalf of the Data Subject 


6 sufficient information to establish the authority of the applicant to 
obtain Personal Data on behalf of the Data Subject 


7 consents to disclosure from other individuals identified in the Personal 
Information sought 


If an initial written request contains all the information necessary to identify the 
Data Subject and the required Personal Data, and if it is accompanied by the £10 fee, 
then the 40 day period starts from the time at which it was received by the 
Authority, not the Data Protection Office. More often there will be some discussion 
or correspondence between the Data Subject and the Data Protection Office staff 
which will result in the completion of a valid request. All staff should be advised to 
route any enquiries or possible Subject Access requests to the specialists in the Data 
Protection Office, rather than trying to handle them personally. 


Where this time is extended for handling examination marks the Personal Data 
required is that relevant to the time at which the request was made, together with all 
subsequent amendments until the Subject Access request has been completed [Act 
Section 35 (1-5)]. 
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i Transient Personal Data 

A consequence of the specification of the Subject Access Provisions is that any 
system from which all Personal Data is automatically deleted in less than 40 days 
does not have to provide access to any of its transient Personal Data, although it 
must still be registered and disclosures are still subject to that registration. This 
particular situation arises, for example, where laboratory reports are processed, 
issued to be included in the case notes and only held on the computer system for a 


short period owing to lack of storage space. 
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4.4 Orders under the Data Protection Act and DHSS 


Guidance 

A number of Orders are currently being discussed for Parliamentary debate before 
11 November 1987 and these will have a substantial effect on the detailed operation 
of the Act in the specified areas. The DHSS Guidance on handling Personal Health 
Data, together with the draft of a proposed Order under Section 29 ((1) of the Act, 
has been issued as a Health Circular and is reproduced after the Annexes to this 
chapter as Draft Order 1. Other draft Orders and DHSS guidance (marked with *) 
will be made available as soon as possible as follows:- 


Draft Order 1 Personal Health Data under Section 29 (1) 

Draft Order 2 Social Work Data under Section 29 (2) * 

Draft Order 3 Mental Incapacity under Section 21 (9) * 

Draft Order 4 Subject Access Exemptions under Sections 34 (2) and 40 * 


It must be understood that these Orders require an affirmative resolution in both 
Houses of Parliament before they become effective. 


An appropriate commentary on how these Orders can be most effectively 
implemented will be produced in due course. 


The handling of Personal Health Data requires special care. The flow chart, in fig 
4.1, outlines the basic approach but the DHSS Guidelines, associated with the Section 
29 (1) Order, amplify the way in which it is expected that Personal Health Data 
should be handled. It is intended that these DHSS Guidelines will be issued officially 
as a Health Circular in September 1987. 

The key questions relating to this order, as currently drafted, are as follows:- 


i What is Personal Data? 
‘Information as to the physical or mental health of the Data Subject if 


a held by a Health Professional 
b first recorded by or on behalf of a Health Professional 
ii What grounds for restricting Subject Access? 


a likelihood of serious harm to the physical and mental health of the Data 
Subject or any other person 


b likelihood of disclosure of the identity of another individual (not a 
Health Professional) 
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iii 


vi 


What sort of person advises the Data User? 

The appropriate Health Professional from a professional group listed in an 
attached schedule who will not necessarily be on the staff or linked in any way 
to the Health Authority 


Which one, in particular, decides? 

"the Health Professional" means 

a the medical practitioner or dental practitioner who is currently or was 
most recently responsible for the clinical care of the data subject in connection 


with the matters to which the information which is the subject of the request 
relates; or , 


b where there is more than one such practitioner, the practitioner who is 
the most suitable to advise on the matters to which the information which is the 
subject of the request relates; or 


c where there is no practitioner available falling within sub-paragraph 
(a) or (b) above, a health professional who has the necessary experience and 
qualifications to advise on the matters to which the information which is the 
subject of the request relates. 


How much time is available for handling the modified Subject 
Access procedures? 


40 days 
Who is responsible for handling the Subject Access Procedures? 


The Data User 
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4.5 Processing Subject Access Requests 

The basic scheme for processing requests is outlined in the flow chart shown in fig 
4.1. It starts with a potential Subject Access request i.e. a request for information 
by an individual [or someone acting on his, or her, behalf} about his computer 
records as currently held by the Health Authority. At the time of writing the details 
of the Orders which the Secretary of State has in mind to lay before Parliament may 
make it desirable to elaborate the flow chart and the text of this chapter but the basic 
scheme outlined below should be sufficient to set up the necessary systems. The 
draft Order under Section 29 (1), reproduced as Draft Order 1, will allow access to 
Personal Health Information to be modified. 


The scheme is based on a series of 15 key questions which are listed in Annexe 4.1. 
The questions are interspersed with a variety of activities, Al-A28, which are all 
cross-referenced to the flow chart in fig 4.1. The activities are, also, listed in 
alphabetical order in Annexe 4.2. Each question or activity is briefly described 
below in sequence and in the context of the detailed discussion of specific issues in 
the previous section. 


In a number of places in fig 4.1 there are circular loops in which certain 
information is sought which will enable the process to be taken to the next stage. 
Clearly, it is possible to elaborate on the various procedures in the flow chart but, in 
order to avoid an excessively complicated chart, the loops have been 
diagramatically simplified. It must be remembered that when any request becomes 
stuck in a particular loop for the lack of information from the Data Subject [or 
applicant], the process may have to be terminated at some suitable time by a letter 
refusing further action unless additional information is forthcoming. 


Furthermore, it may be that some questions, which appear to have been answered 
adequately early in the Subject Access process, may have to be re-opened at a later 
Stage as would happen, for instance, if multiple records appeared and were not 
distinguishable using the information previously supplied. 


In the following text the paragraph headings refer directly to the 
corresponding box or question in fig 4.1. 


Al Log Subject Access Request 

Since the Act imposes time limits on the provision of Personal Data to Data Subjects, 
it is vital that all relevant documents and correspondence should be date stamped and 
that the dates on which relevant events occur should be carefully recorded as 
evidence that the Authority has fulfilled its responsibilities under the Act. A unique 
reference number should be allocated to each Subject Access request. Furthermore, 
the whole process of Subject Access should be monitored to ensure that the various 
activities are proceeding sufficiently fast to enable the Authority to provide the Data 
Subject with a copy of his, or her, Personal Data within the statutorily specified 
period of 40 days. A suitable log is attached as Annexe 4.4. 
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It is possible that the 40 day clock can start at this stage. If a Data Subject hands in a 
written request, together with a £10 fee, that includes sufficient information to 
identify him, or her, and sufficient detail to enable the Personal Data to be located, 
then the clock starts. Any lapse of time between the request being handed in and it 
arriving at the Data Protection Office, or any time spent laying on the Data 
Protection Co-ordinator's desk or in checking that it includes all the necessary 
information comes off the 40 days. 


1 Is this a valid Subject Access Request? [written request plus fee] 
Under the Act a valid Subject Access request is initiated when the Data User is 
presented with a written request together with a fee. The maximum permissible fee 
is prescribed by a regulation under the Act and it is currently set at £10 per request 
Data Protection Register Entry. However, Authorities are free to provide copies of 
Personal Data for less than the maximum fee should they wish. Health Authorities 
are advised to issue casual enquirers with their Subject Access form and indicate that 
they will only proceed with the processing of a request when they have a satisfactory 
written request. Copies of each request should be filed so that that there is 
documentary evidence if the Authority is ever misled into an improper disclosure 
as a result of someone impersonating a Data Subject. This would be difficult to 
establish if information had been given out casually and without any documentary 
evidence. 


A2 Subject Access Denied 

If any of the key elements of the Subject Access Request are missing, the request has 
to be denied. For instance, if there is still doubt about the identity of a Data Subject 
or applicant following checks, then the request must be refused; only the fee is 
optional and at the discretion of the Health Authority. The grounds of the refusal 
should be made clear and the individual should be advised of what evidence, or 
additional information, would be required to enable the request to be processed. It 
should also be made clear that if such information were to be provided, the request 
would be processed in the normal way. The form in Annexe 4.6 can be used for this 
purpose. There are a number of loops in fig 4.1 where additional information is 
being sought from Data Subjects. If the request gets stuck in such a loop the request 
for information should be followed up and then abandoned if no response is 
forthcoming but the Data Subject should always be advised of the position as 
indicated above. 


2 Has the Identity of the Data Subject been proved? 

The Data User must satisfy himself that the person making the request is in fact the 
person he claims to be. In some cases this will be straightforward because the 
individual is well known in relation to other contacts with the Health Authority. In 
other cases the evidence may be difficult to sort out. 
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A3 Request Identity Data Subject 

If there is insufficent information to establish the identity of the Data Subject, then 
the Data User must write to the Data Subject requesting appropriate information. 
The letter requesting information (Annexe 4.5) issued together with the Subject 
Access Request form (Annexe 4.3) would be appropriate. It would also be sensible 
to mark clearly the key items of information that are required. 


3 Is the Data Subject Personally making the request? 

This question occurs in connection with the identification of applicants, other than 
Data Subjects, with requests on behalf of children, mentally incapable individuals 
and requests on behalf of adults. In each case there may be various reasons for the 
Data Subject not making the request personally. 


4 Is the Data Subject under 18 Years Old? 
If the Data Subject is a child then special procedures apply. See section 4.3f. 


A4 Procedures for Children 
Considerable care needs to be exercised in handling Subject Access requests by or 
on behalf of children. These procedures are discussed in detail in section 4.3f. 


5 Has the identity of the applicant been proved? 
Where the Data Subject is not applying in person, the identity of the applicant must 
be satisfactorily established or else the application must be terminated. 


AS Request Identity Applicant 

The applicant must be identified reliably and to at least the same standard as the 
identification of the Data Subject. The process of identification will normally be 
closely bound up with the process of establishing the Authority of the applicant to 
obtain the data requested. 


6 Is the Applicant Authorised to obtain the Information on behalf of 
the Data Subject? 

There is a variety of ways in which an individual might be authorised to obtain the 
information on behalf of the Data Subject. The simplest situation is one in which it 
just happens to be convenient for the Data Subject for someone else to act as his 
agent. Examples might be an accountant, lawyer, doctor, or someone acting for an 
older relative. The key element here is that the Data Subject must have consented to 
or requested the arrangements. Someone holding a more general power of attorney 
would also qualify. The key question is whether there is evidence of authority to 
obtain the information on behalf of the Data Subject. 


A6 Request Authorisation 

Where an adult has requested or consented to someone making an application on his 
behalf, there should be no problem providing there is evidence of this request or 
consent. If there is insufficient evidence, the authority of the applicant must be 
examined. 
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An application on behalf of an adult may arise when someone else is authorised to 
make the application on behalf of a mentally incapable person under an Order under 
Section 21(9) of the Data Protection Act 1984. Other forms of authorisation may 
become acceptable but appropriate authorisation is required for the application to 
proceed. 


Applications on behalf of children are discussed in section 4.3f. They can be quite 
complex and considerable care is required. 


7 Does the request include sufficient information to identify the 
register entry and the Personal Data being requested? 

Each Subject Access request is made against a specific entry on the Data Protection 
Register [ie a DPR1 Form A plus associated DPR1 Forms B] and this entry specifies 
the scope of the search required from the Data User. Where the Data Subject has 
been unable to specify the Register entry, the most sensible course is to send him an 
outline of the various entries in the Register so that he can select the most 
appropriate one(s). In general, a complete copy of the Authority's entries on the 
Data Protection Register will be too extensive for convenient copying and issue. 


If the Data Subject requires searches under more than one entry, then these should 
be set up as separate Subject Access requests and a separate fee is required for each 
entry. If the Data Subject has had his right to a full search explained to him and it is 
nevertheless possible to agree with the Data Subject that information described only 
on one DPR1 Form B is of interest, then the search can be narrowed further. In 
the absence of any such agreement, each search must cover all the 
systems and data usage described by the Form A and the associated 
Forms B. It is not enough to search the most likely places for the 
Personal Data. 


All systems should be searched and a positive nil return should be obtained from 
each Data Custodian, unless there are solid reasons why the Data Subject will not 
have information recorded about him on the systems that are not positively checked. 
It is for this reason that the Authority's registrations should be divided into the most 
sensible logical structure to avoid unnecessary searches while not obstructing 
Subject Access rights. 


It may well be useful to suggest that each Data Custodian should maintain an index 
of current Data Subjects to simplify the Subject Access procedures. 


A7 Request Further Details 

If insufficient detail has been provided, the Data User must respond positively to the 
Data Subject requesting the specific items needed to enable the search to be made. 
The forms Annexes 4.3 and 4.5 would be appropriate. 
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A8 Log Detailed Subject Access Request 

At this stage the 40 day clock definitely starts ticking. The Authority has a detailed 
request on which it can, and must, act. The date on which this happened should be 
properly recorded. The Health Authority is now required to provide a 
copy of the specified Personal Data to the Data Subject within 40 days. 
It would be good practice for the Authority to send the Data Subject [or applicant] a 
card acknowledging his request and advising him that it has been received, checked 
and is now being processed (together with a receipt for the fee if such is required by 
standing orders). 


A9 List Relevant Systems 

From the Authority's registrations a specific registration [DPR1 Part A form and 
the associated Part B forms] has been identified and this must be linked to the 
particular computer systems or other registerable system such as an integrated 
microfilm system, an entry card, telephone or staff logging system, or any 
registerable system, used by the Authority. This can be done from the Register of 
Authorised Systems noted in section 3.4. It should be noted that this list must 
include all relevant mainframe, mini computer and microcomputer systems as well 
as word processing systems, telephone logging and access control systems and 
bureau based systems. 


This register is the fundamental requirement for handling Subject Access and it 
should! always be available and be kept up-to-date. 


8 Is the List of Systems Complete? 

Even if it is definitely up-to-date the initial list from the Register of Authorised 
Systems, should not be taken at face value as there may well be other relevant 
systems to be inspected. A conditionally exempt system may no longer qualify for 
its exemption or a word processing system may not be separately registered and/or 
may have strayed from its registration and contain relevant Personal Data. 
Furthermore, the relevant departments may have initiated some additional systems 
since the last Data Protection Compliance check. Any such system must be added to 
the list of systems from which Personal Data will be sought for this particular 
Subject access request. 


If there is any doubt about some critical issue it would be worth checking that the 
relevant departments have not in fact changed their activities since the last Data 
Protection Compliance check to include additional data systems that should be 
included in the request. The Subject Access request relates to what is actually being 
held on the Data Subject at the time of the request - not what was being held 
sometime previously when the Register of Authorised systems was last updated. 


Furthermore, the request relates to any Personal Data whether or not 
the data usage has been registered. 
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A10 Add to List of Systems 
If any additional systems emerge during the consideration of question 8 they should 
be added to the List of Relevant Systems for this particular request. 


A11 Issue Requests to Data Custodians 

Since each Authorised system has a Data Custodian, each Data Custodian on the list 
should be sent a copy of the Subject Access request, together with a note of any 
special circumstances associated with the request, a certification form to be returned 
with the Personal Data and an easily identifiable addressed envelope for returning 
the Personal Data [Annexes 4.8 and 4.9 give suggestions for suitable letters]. The 
Data Custodian should be asked that he, or she, should respond to the Data 
Protection Co-ordinator with relevant copies of the Personal Data from his, or her, 
computer systems as soon as possible but in any case within, say, 20 days. 


The Authority is required to respond within 40 days to the Data Subject and it is 
clear that some time will inevitably be absorbed by the administrative procedures. 
Only experience will tell in a particular Authority how much time can be allowed to 
the Data Custodians before they start to erode the available time. If 20 days turns 
out to result in missed deadlines then it may have to be reduced to, say, 10 days. As 
far as possible routine post and procedures should be used because they are the 
cheapest and easiest but as time runs out more expensive special deliveries and 
couriers may be needed. Certainly, these requests cannot be allowed to lie 
unopened and unheeded on the Data Custodians’ desks until they return 
from holiday or illess, nor may it be satisfactory for the processing to 
wait for the next time that a consultant has a session at the hospital. The 
envelope carrying these requests should be clearly identifiable and procedures 
should in all cases be made to ensure that they are not delayed in the internal postal 
and other procedures of the Authority. 


A12 Data Requested by Data Custodians 

When the Subject Access requests arrive the Data Custodians should make 
arrangements to initiate the necessary processing requests in order to obtain copies 
of the Personal Data required. This may be by accessing a local microcomputer, 
using a local terminal to inspect the files in a mini or mainframe computer or it may 
be by requesting a batch processing output from a local or Regional Computer or 
from some other Computing Bureau. 


In general, Data Protection Co-ordinators should not interfere with the running of 
data systems directly by issuing their requests directly to any Computer Bureaux. 
The departmental Data Custodian should remain in control of his, or her, data 
system and issue the necessary requests. 


The process of obtaining the Personal Data will vary quite radically from situations 
in which the effort is quite trivial to those in which it is quite difficult because the 
system was not designed to provide such output. In these latter cases it may be 
necessary to program a suitable form of output or put up with some time-consuming 
way of obtaining the necessary output [hoping that the volume of Subject Access to 
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that system will turn out to be small] or abandon the use of the offending system. 


In future, all systems will have as an integral requirement some convenient means of 
obtaining intelligible output for use in handling Subject Access requests. However, 
the current generation of systems does not generally meet this requirement although 
there is usually some way of reading individual records even if it is not part of the 
routine output of the system or if the record output is so highly compressed that it 
must all be totally decoded for the benefit of the Data Subject. 


A13 Monitor Progress of Requests 

All requests should be periodically reviewed to ensure that they are making 
appropriate progress. Follow up requests do not have to be officious but the time 
limit of 40 days does not allow a great deal of flexibility in collecting together 
Personal Data for patients held physically in a wide variety of departments spread 
geographically across a wide area. A couple of Bank Holidays, or Statutory 
Holidays, some postal delays and a few Data Custodians on holiday could easily use 
up all the available time. 


Until the procedures are operating effectively a weekly review of the progress of all 
Subject Access requests should be regarded as a normal requirement. The first 
weekly review should be a routine follow-up to check that there are not likely to be 
any problems in setting up the requests for the data. The second weekly review 
should normally see some Personal Data coming in from the Data Custodians while 
the third review should normally show that all the required Personal Data is 
available for the Data Protection Co-ordinator to process. If this is not the case 
immediate action is required to chase up the outstanding data. Personal Data that 
has not arrived for the fourth review requires urgent action by the Data Protection 
Co-ordinator because the available time for handling the request is being eroded. 
Any Personal Data outstanding at the fifth review must be treated seriously because 
the legal time limit will shortly expire. The General Manager should be informed 
whenever the 40 day deadline for a request is missed. 


Any Subject Access requests outstanding at the sixth and subsequent reviews are an 
indication that the Health Authority has not complied with its statutory obligations 
under the Data Protection Act 1984 and urgent action is required at the highest 
managerial level to correct an unsatisfactory situation. An isolated missed deadline 
may be indicative of the need for better monitoring and follow-up effort but any 
significant number of missed deadlines is indicative of serious shortcomings in the 
system of procedures used for handling Subject Access requests. 


9 Is the Request Specially Urgent or Unduly Delayed? 

If-there is some good reason for asking for the information within a shorter period 
than 40 days the request should be expedited as required by the circumstances. 
Indeed there is no general advantage for an Authority to slow the progress of 
requests while there are good reasons, in terms of reducing the load of current work 
to be overseen and in terms of good public relations, for dealing with requests as 
fast as convenient and compatible with the use of routine procedures. Where a 
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request is shown at the weekly review to be making little or no progress or where 
there is a danger of the 40 day period being over-run positive and effective action is 
required to rectify the situation. 


A14 Expedite Request 

Where action is required to expedite a request all relevant Data Custodians should 
be alerted to the special requirements of the request or to the fact that time is 
beginning to run out. This can be achieved with personal telephone calls to the Data 
Custodians or by letters with special distinctive stickers that will stand out amongst 
all the other post as requiring action. If the necessary action cannot be achieved the 
problem must be drawn to the attention of the most senior manager of the relevant 
discipline - perhaps even to the General Manager. The process of handling the 
request must be documented and shown to be effective. Where it has to be referred 
upwards this too should be documented and dated. 


10 Is the Personal Data covered by a Section 29(1) Order [Physical 
and Mental Health Data ] ? 

The Order under Section 29(1) of the Data Protection Act 1984 defines the Personal 

Data to which it is to be applied - see Draft Order 1. 


A15 Identify and Locate Appropriate Health Professional 

Since the time available for handling such modified access to Personal Health Data is - 
very short in relation to the procedures to be undertaken, the lead Health 
Professional should be identified and located as soon as possible. [See Health 
Circular in Draft Orders] 


A16 Collect Personal Data 

Provided that effective procedures have been implemented, the various copies of the 
required Personal Data should arrive and be filed appropriately. The response 
from each Data Custodian should be a certificate, similar to that indicated in Annexe 
4.9. It should certify that no Personal Data is held or that the attached Personal Data 
is the only Personal Data held on that Data Subject. When new items arrive from a 
Data Custodian it would be worth checking whether all the required copies of the 
Personal Data have arrived so that the Subject Access request can be processed 
further or whether the request needs to be expedited. If that particular request is 
not yet urgent action can await the next weekly review. 


11 Have All the Data Custodians Responded? 

This is simply a matter of examining all the responses from the Data Custodians to 
ensure that there has been a response from each Custodian of all the systems listed at 
the start of the Subject Access request. Where material is absent action needs to be 
taken. 


23. Chapter4 NHS Data Protection Handbook [version 3.0] August 28, 1987 


A17 Request Responses 

Whenever the time limit for handling the request is likely to run out more urgent 
and more frequent action is required both in checking that the file has not yet been 
completed and in chasing up slow moving Data Custodians. 


The actions required to chase up Data Custodians will differ according to the 
individuals concerned. Distinctive stationery will obviously be helpful but as time 
runs out more direct methods are required. Personal telephone calls and visits will 
inevitably be required in many circumstances. How much time an Authority wishes 
staff to spend personally chasing up delayed requests will vary according to the 
staffing levels allocated to Data Protection. Undoubtedly there will need to be a 
considerable amount of this administrative effort initially but as the arrangements 
settle in the aim should be to reduce this personal administrative effort to the 
minimum. 


12 Is the Personal Data Intelligible? 

All information supplied under the Subject Access provisions which "is expressed in 
terms which are not intelligible without explanation" must be "accompanied by an 
explanation of those terms" [Act Section 21(1)]. This requirement means that any 
coding of the information must be made fully available to the Data Subject but it 
does not require that the Data Subject should be provided with a short course in, for 
instance, medicine or any other discipline, trade or activity. It is sufficient that the 
information should be expressed in the normal precise technical terms of the 
relevant discipline or activity that would be understood by other specialists in that 
discipline or activity. However, any abbreviations or local short hand must be fully 
explained and the Data Subject must be provided with an accurate translation of the 
local meaning. 


There is no requirement in the Act for the information to be provided in any other 
language than English but obviously local circumstances should be taken into 
account. It may be that in some areas of the country or in clinics or hospitals 
dealing with significant communities in which English is imperfectly understood 
and where information is customarily translated into other languages for 
operational reasons particular Authorities may wish to translate some or all of the 
material relating to Data Protection. This should be seen as an operational matter 
rather than as a requirement of the Data Protection Act 1984. 


If the Personal Data is not intelligible without explanation, appropriate explanations 
must be obtained from the Data Custodians. This requirement should be discussed 
with each Data Custodian in respect of all the systems for which he is responsible to 
establish the general requirements rather than treating each request as a separate 
exercise. At this stage in processing Subject Access requests it should only be a 
question of whether the agreed material has been provided rather than a detailed 
examination of what decoding material is required. 
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A18 Request Decoding Material 

Where the information is not intelligible in the sense defined above a request must 
be made to the Data Custodian to supply the necessary decoding material. The 
response to such requests should be monitored, especially as the deadline for 
producing the Subject Access information gets close. 


A19 Review Material 

At this stage all the Personal Data should be available together with any necessary 
decoding material and comments from the Data Custodians about possible 
problems. The Data Protection Co-ordinator should look at the information as a 
whole to make sure that no additional problems are likely to emerge. Any problems 
should by now have been identified, the seriousness assessed and appropriate ways 
should be devised to deal with them. 


10 Is the Personal Data covered by a Section 29(1) Order [Physical 
and Mental Health Data] ? 

On the second time that this question is asked, the detailed procedures are put into 

effect - as required by the Section 29 (1) Order. The draft version of this Order is 

set out, together with the DHSS Guidelines, as Draft Order 1 following the various 

Annexes to this chapter. 


A20 Seek Advice of Appropriate Health Professional 

The Order under Section 29 (1) indicates who the Appropriate Health Professional 
is likely to be and the DHSS Guidelines give further advice. The details are outlined 
in Draft Order 1 and the Health Authority is required to seek advice regarding 
specific issues from an Appropriate Health Professional. 


A21 Obtain Professional Advice as to: 
1 Serious Harm to the Data Subject 


2 Third Party Identification as required by Section 29 (1) 
Order 


The Order and DHSS Guidelines further elaborate various aspects of the handling of 
Personal Health Data under the proposed Order. If this Order, shown in draft form 
under Draft Order 1 at the end of this chapter, is not approved by Parliament, or not 
approved in the form envisaged in the draft, revised guidance will be drawn up. 


A22 Receive Health Professional's Report and Advice 

Having obtained the clinical advice from the appropriate Health Professional(s) the 
Health Authority is expected to act on that advice in line with the Order and the 
DHSS Guidelines. The Data User is responsible for taking appropriate action. 
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13 Does the Personal Data identify other individuals who are not 

covered by consents regarding access by the Data Subject? 
Where the Personal Data is not Personal Health Data, action should be taken in line 
with the Registrar's advice in Guideline 5 [pp 13-15]. The Personal Data should be 
reviewed [see, also, A21 Review Material] to see whether any identification is 
possible. If this is possible the appropriate action may be taken. There will be many 
cases where it would be better to leave some names in as a matter of Authority 
policy eg, for instance, Health Authority staff. The details depend on the purposes 
and usage of the Authority's data. 


A23 Remove Identifications 

As indicated by the Registrar's Guideline the identifying material may be removed 
but no more information than necessary must be removed. The problem of oblique 
identification remains for all data other than Personal Health Data (and any other 
data specified in other Orders) until the precise position has been clarified as to 
exactly what information in a system relates to which individual. 


14 Does the Personal Data contain any material that might be better 
not disclosed and which may be legally removed? 

Personal Data includes opinions but not the Data User's intentions in respect of the 

Data Subject. Material relating to such intentions may legally be removed if the 

Data User wishes. Also, if some material is held in a system that is covered by 

some exemption then it may also be removed if desired. 


A24 Remove Material 

At this final stage the Personal Data has been assembled but there may be a few 
minor items which the Data User has the option of removing if he desires. 
Information about intentions and information about other Data Subjects for which 
no consents have been obtained may be removed. However, information to 
which the Data Subject has a legal right must not be removed just 
because it is inconvenient, embarrassing, wrong or may lead to court 
proceedings. 


A25 Log Subject Access Available 
At this stage the copies of the Data Subject's Personal Data have been assembled for 


issue and this fact should be logged. 


15 Should the Personal Data be issued to the Data Subject Personally? 
It is open to the Data User to respond to the Data Subject as a routine security 
precaution, even where the Data Subject is not applying personally. However, there 
are circumstances where this may not be feasible, or convenient, and then a response 
directly to the applicant may be appropriate. 
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A26 Issue to Data Subject 

The Personal Data can be issued to the Data Subject in any agreed or convenient 
way. It may be helpful for it to be collected by arrangement but ordinary first class 
post to the agreed address is sufficient provided that it is posted in good time so that 
it will normally arrive at the Data Subject's address before the 40 day period has 
elapsed. It would probably be wise to use two envelopes with the inside envelope 
marked, using a stamp or "Able Label”, as follows:- 


"Confidential to be opened by the Addressee only. 
If undelivered please return unopened to the Health Authority at the following 
address" 


The outer envelope should look quite unremarkable. 


Where evidence of posting is desirable or where very sensitive information is being 
issued it would be worth resorting to recorded delivery. It would also be worth 
ensuring that the enclosed compliments slip gives the Data Subject a name and 
address to contact in case of any queries or follow up to the Subject Access request. 


The actual response to a Data Subject’s request should be formulated as a direct 
reply to the two questions listed in Section 21(1) of the Act as follows:- 


1 No I do not hold any Personal Data with you as the Data Subject under 
Register entry number X which I am required to reveal to you under 
the Subject Access provisions of the Data Protection Act 1984 


2 Yes I do hold Personal Data with you as the Data Subject under Register 
entry number X which I am required to reveal to you under the Subject 
Access provisions of the Data Protection Act 1984 and I am enclosing 
copies of that Personal Data for you. 


Where Personal Data is supplied, it would be helpful to record the date on which the 
data were extracted from the computer files. 


In either case it would be worth offering further assistance if there should be any 
queries that the Data Subject might have when he, or she, has thought about this 
response. 


A25 Issue to Applicant 

The process of issuing Personal Data to applicants is the same as for Data Subjects 
above but the wording of the covering compliments slip or letter may be slightly 
different. 
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A26 Log Issue as Authorised 

The issue of the Personal Data completes the handling of the Subject Access request 
but it must be appropriately logged and the Data Protection Co-ordinator should 
retain in his files a copy of the Personal Data issued. Such copies should not be 
retained indefinitely but they should be retained long enough to handle any queries 
arising from the individual request as well, if possible, as coping with repeated 
requests from the same individuals where knowledge of previous results may be 
helpful. This material should be held in a secure, locked safe or at least a secure 
metal filing cabinet with a good quality lock. 


In certain circumstances it may be possible for the Health Authority to discharge its 
responsibilities under the Act by arranging for a Data Custodian to send very 
sensitive information in a sealed envelope to the Data Protection Co-ordinator to 
forward unopened to the Data Subject or applicant. This enables the Health 
Authority to discharge its responsibility without disclosing the information to the 
Data Protection Co-ordinator. However, the normal process should be for the 
information to be handled by the Data Protection Co-ordinator who will ensure that 
all the appropriate steps are taken. He, or she, will have the need for confidentiality 
impressed on him, or her, during training as well as being clearly included in his, or 
her, contract of employment - in addition to any requirements built into any 
professional code of ethics/conduct to which the individual Data Protection 
Co-ordinator is subject professionally. 


As indicated in the draft Section 29(1) Order, a Health Professional may suggest that 


the Data Subject should be counselled at the time that the Subject Access information 
is made available. (See Draft Order 1) 
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4.6 Data Protection Filing 

The Data Protection Office should hold the Health Authority's official files handling 
Data Protection arrangements and the processing of Subject Access requests. In 
general, it should be unnecessary for departmental Data Custodians, or Health 
Professionals, to retain additional copies of Personal Data and-information relating 
to Subject Access requests. The main files should be available for authorised access. 


As much as possible of the recording and monitoring of Data Protection activities 
should be handled on a suitable computer system. It is hoped that the Scottish Data 
Protection Registration Administration System (DPRAS) will prove a considerable 
asset in handling these Subject Access procedures. 
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Annexe 4.1 
Questions for Handling Subject Access Requests 


[see fig 4.1] 

1 Is this a valid Subject Access request? [written request plus fee] ° 

2 Has the identity of the Data Subject been proved? 

3 Is the Data Subject personally making the request? 

4 Is the Data Subject under 18 years old? 

5 Has the identity of the applicant been proved? 

6 Is the applicant authorised to obtain the information on behalf of the Data 
Subject? 

7 Does the request contain sufficient detail to identify the register entry and the 
Personal Data being requested? 

8 _Is the list of systems complete? 

9 Is the request specially urgent or unduly delayed? 

10 Is the Personal Data covered by a Section 29(1) Order [Physical and Mental 
Health Data]? 

11 Have all the Data Custodians responded? 

12 Is the Personal Data intelligible? 

13 Does the Personal Data identify other individuals who are not covered by 
consents regarding access by the Data Subject? 

14 Does the Personal Data contain any material that might be better not disclosed 
and which may legally be removed? 

15 Should the Personal Data be issued to the Data Subject personally? 

Note 


Some questions may only be provisionally answered initially and require subsequent 
verification in the light of additional information, eg when there are several 
individuals with the same, or similar, names. 
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Annexe 4.2 


Subject Access Activity List 


[see fig 4.1] 


Add to List of Systems 

Collect Personal Data 

Data Requested by Data Custodians 
Expedite Request 


Identify and Locate Appropriate Health Professional 
Issue to Applicant 

Issue to Data Subject 

Issue Requests to Data Custodians 


List Relevant Systems 


Log Detailed Subject Access Request 
Log Issue as Authorised 

Log Subject Access Available 

Log Subject Access Request 


Monitor Progress of Requests 
Obtain Professional Advice as Required by Section 29(1) Order 
Procedures for Children 


Receive Health Professional's Report and Advice 
Remove Identifications 

Remove Material 

Request Authorisation 

Request De-coding Material 

Request Further Details 

Request Identity Applicant 

Request Identity Data Subject 

Request Responses 

Review Material 


Seek Advice of Appropriate Health Professional 
Subject Access Denied 
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Al0 
Al6 
Al2 
Al4 


Al5 
A27 
A26 
All 


A9 


A8 
A28 
A25 
Al 


Al3 
A21 
A4 


A22 
A23 
A24 
A6 
Al18 
A7 
AS 
A3 
Al7 
Al9 


A20 
A2 


August 28, 1987 


Annexe 4.3 


eee (re Dancin Oe) 
(The Data Protection Office | Data Protection Office 
SSSA SSNS 


NHS Request for Personal Information 
(Subject Access under the Data Protection Act 1984) 


PART A - IDENTITY DETAILS 
1 Name of person about whom information is being requested: the Data Subject 


Sumame [formerly ] 
Forename[s] 


Addresses current previous 


Date of birth [please give in all cases] 
2 Is the Data Subject....... 

{] ex/current staff - Go to Q3 

{] ex/current patient - Go to Q4 

[] neither/none - Go to Q5 


3 Payroll number 
4a NHS Number [from Medical Card] 
4b Hospital/Clinic/Speciality Approximate dates Record Number 


5 Please tick where applicable: 


[ ] Supplier [] Blood Donor 
[] Job Applicant {] Working contact 
[] Correspondent [] None 
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PART B - DETAILS OF REQUEST 
[This information is available from the Data Protection Act register] 


6 


DATA PROTECTION REGISTER ENTRY 
Registration Number Data User_: __ 
Organisational Subdivision = 


Reasons for Request be 


Please supply below additional information which you think will help in 
locating the information requested 


a of previous names 


b date of start of employment or training 


Notification of General Practitioner 

In the case of Personal Health Data it would often be helpful for a copy of this information to 
be supplied to your General Medical Practitioner. If you consent to this, please supply the 
name and address of your GP 


Please send/do not send a copy of any Personal Health Data to my General 
Practitioner 


WARNING 


You are advised that the making of false or misleading 
statements in order to obtain access to personal information 


to which you are not entitled is a criminal offence. 
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PART C - DECLARATION 


I declare that the information given in this form is correct to the best of my 
knowledge and that: 


[] I am the person named overleaf 


{] I am acting on behalf of the person named overleaf. Please give address if 
different from Data Subject 


signed date 


address [if applicable] 


PART D - CERTIFICATION 

I (insert full name) certify 

that I have known for years 
and certify that *he/she is known to me under this name as an 
*employee/client/patient/personal friend and I have just seen *him/her sign this 


Subject Access request form for Personal Information under the Data Protection 
Act 1984 


[* delete as applicable] 

signed date 
Name 

Address 


Daytime telephone no for confirmation of identification. 
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Notes for Completing the Subject Access Form 


Identification 

It is necessary to ensure that confidential information is only released to the person 
themselves (or their representatives, guardians etc). This is more readily done with 
certain groups of people than others. Furthermore, identification is even more 
important when sensitive information is being sought. Please select the most 
appropriate and convenient approach to establishing your identity to the Health 
Authority. In the case of staff a well known colleague or manager may be a 
convenient means of establishing your identity. For patients, record numbers and 
information about attendance or admission together with approximate dates will 
not only help to establish your identity but also help locate the information you are 
requesting. 


Children 
Special arrangements apply to children which will be explained on request 


Disclosure of Information 

There is no need for anyone to know the details that you provide in confidence to the 
Health Authority. The sole purpose of requiring that the form should be 
countersigned is to assist in establishing your identity to the Health Authority. 


Authority's Registrations 

It would be helpful to list with these notes the Authority's Registrations in outline, 
together with the Data Protection Register numbers to simplify the Data Subject's 
selection of relevant data systems. 
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Annexe 4.4 
Data Protection Subject Access Recording 
Log 
Administrative check list 
File with Subject Access Request and other Details 


Record Dates and Activities: Note Problems, Sign and Date Completion on 
Reverse 


Al Log Subject Access Request / of Fee received Yes/No 
A2 Subject Access Request Denied / / Number of systems to be accessed 
A3 Request Identity Data Subject / of Number of Data Custodians to 
Data Subject Identified / / provide information 
Request Identity Applicant Bt Child Access Yes/No 
Applicant Identified / of Age of child 
Request Authorisation / of Access by parent/guardian/ or 
Authorisation received / / other individual agreed Yes/No 
A7 Request Further Details / of Access by adult consent Yes/No 
Further details received / / Sufficient detail supplied Yes/No 
A8 Log Detailed S/A Request / of REQUEST ACKNOWLEDGED Yes/No 
All Issue Requests to Data Custodians /  / Health Information Requested Yes/No 
WEEKLY REVIEWS NOTES 
ist [ACTION /URGENT ] / of In progress/ some received /ali received 
2nd [ ACTION /URGENT J ‘7 In progress / some received / all received 
3rd_ [ ACTION /URGENT ] / of In progress / some received / all received 
4th [ ACTION /URGENT ] /o/ In progress / some received / all received 
5th [ACTION /URGENT J / sof In progress / some received / all received 
6th [ ACTION /URGENT ] / of In progress / some received / all received 
Later [ ACTION /URGENT } / sf In progress / some received / all received 
Al4 Request expedited / ot 
Al7 Request Responses / / Se aa ok ke 
Last Personal Data arrives / of **RECORD REASON FOR ANY 
A18 Request Decoding Material /of REFUSAL OF ACCESS IN FILE** 
Material arrives 1 of FEE EEE EEE 
A20 HP Advice sought / of 
A22 HP Report and Advicereceived / / Personal Data Issued by: 
A26_ Log Issue as Authorised [name] 
to Data Subject/A pplicant ‘of et ee ee [date] 
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NOTES 
1 Any problems arising in the handling of this request should be noted here and 
referenced to the relevant Subject Access file. 


2 Any special advice from the Data Protection Registrar's office, the NHS 
Centre for Information Technology, the Regional Data Protection Officer or 


the Health Authority's legal advisers should be noted. 


3 Any advice from a Health Professional in respect of a Subject Access request 
should also be noted. 


Lead Health Professional 


Name 
Address 


Telephone number 
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Annexe 4.5 


The Data Protection Office 


Request for Further Information 


Subject Access Request Number 
Data Subject's Name 


DP Register Entry 


Dear Enquirer, 


The information provided in your request for your personal information held by 
my Health Authority is not sufficient for me to establish:- 


your identity as the person on whom information is held 


a 
b your identity as an applicant to obtain information on somebody else 
c your authority to receive information about somebody else 

d 


which information you require and where I might find it 
[delete as appropriate] 
In order to clarify these matters I should be grateful if you would fill in and sign the 
accompanying form, paying particular attention to the marked items. I will then see 


that the processing of your Subject Access request is put in hand forthwith. 


Yours sincerely 


Data Protection Co-ordinator 
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Annexe 4.6 


The Data Protection Office 


Subject Access Request Denial 


Subject Access Request Number. 
Data Subject's Name 


DP Register Entry 


Dear Enquirer, 


I have examined your request for Personal Information under the Data Protection 
Act 1984 and for the following reasons I cannot proceed:- 


I have not had a written request from you 

I have not had the £10 fee from you for this service 

I have not been able to verify your identity as Data Subject/Applicant 

I have not been able to establish your authority to receive the information 

I have not been able to obtain sufficient information from you to find and 


mo ao St Bf 


locate the Personal Information you require 


[delete as appropriate] 

Accordingly, I am concluding my attempt to secure a copy of your Personal 
Information. If you have further information to help me deal with the matter, I 
shall be happy to take it up. 


Yours sincerely 


Data Protection Co-ordinator 
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Annexe 4.7 


The Data Protection Office 


Response to Subject Access Request 
under the Data Protection Act 1984 


Subject Access Request Number 
Data Subject’s Name 
DP Register Entry 


Dear 


The Subject Access provisions of the Data Protection Act 1984 are designed to 
provide the answers to the Data Subject on two questions:- 


1 AmTholding data on you? 
2 If so, what is it? 


in respect of a particular entry in the Data Protection Register held by my Health 
Authority. 


The answers to these questions are as follows:- 


1 I am/am not holding any Personal Data under the above Data Protection 
Register entry which I am required to reveal to you under the Subject Access 
provisions of the Act. 


2 The information I am required to reveal to you is attached and the date(s) on 
which it was extracted from the files is noted. 


[delete as appropriate] 


Yours sincerely 


Data Protection Co-ordinator 
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Annexe 4.8 


The Data Protection Office 


Subject Access Request to Data Custodian 


Subject Access Request Number 
Data Subject's Name 


DP Register Entry 


Dear Data Custodian 

I have received the attached Subject Access request and it has been validated on 
Please will you search your data system(s) and provide me with a copy of any 
Personal Data you hold on the Data (sion together with a copy of any necessary 
decoding information, by 


A certification form and an addressed return envelope are attached to assist. 


Please note that a positive nil return is required if you do not hold Personal Data on 
the Data Subject. 


Yours sincerely 


Data Protection Co-ordinator 
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Annexe 4.9 


IIIS SS SSS SSN 


4 The Data Protection Office 


VO 


Departmental Data Custodian's Certificate 


Me 
DP 


Date / / Subject Access Request Number 
Department Data Subject's Name 
DP Register Entry 


Dear Data Protection Co-ordinator 
Ihave/have not searched my files and certify that 
1‘ [hold no Personal Data on this Data Subject on my Data systems 


2  Ionly hold the enclosed Personal Data on this Data Subject and I have noted the 
dates on which these data were extracted from the files 


3 Decoding sheets required to render the information intelligible are attached 


4 Particular problems arise in handling this request and these have been outlined 
overleaf. Please telephone/arrange a meeting to discuss this more fully. 


[delete as applicable] 


Yours sincerely 


Data Protection Custodian 
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HEALTH CIRCULAR DRAFT ORDER 1 HC(87)14 


DEPARTMENT OF HEALTH AND SOCIAL SECURITY 


To: 
Regional Health Authorities 
District Health Authorities 
Special Health Authorities 
for the London Postgraduate 
Teaching Hospitals 
Family Practitioner Committees 


for action 


wwewwwww 


Mental Health Act Commission ) for information 
Community Health Councils ) 


SEPTEMBER 1987 
AL ERVI. A 
DATA PROTECTION ACT 1984: MODIFIED ACCESS TO PERSONAL HEALTH INFORMATION 


Unless otherwise notified, this circular but not the Order to which it refers 
will cease to be valid on 10 November 1992. 


Summary 


1. This circular advises on the terms of an Order which the Secretary of 
State proposes to lay before Parliament and which, subject to Parliament's 
wishes will come into effect on 11 November 1987. A copy of the proposed 
terms of the Order together with guidelines on the procedures for implementing 
the provisions of the Order are enclosed. 


Caveat 


2. This circular must not be read as an indication of Parliament's approval 
of the Order. The Order may be amended before it is laid and once it has been 
laid it will be subject to affirmative resolution in both Houses of 
Parliament. This circular and its enclosures are being made available now so 
that Data Users can undertake preliminary planning arrangements. Whether it 
will be necessary to implement or alter these arrangements will depend on the 
wishes of Parliament. 


Background 


3. The Data Protection Act 1984 gives new rights to people about whom 
information is recorded on computer. They may find out information about 
themselves, challenge it if appropriate and claim compensation in certain 
circumstances. 
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4. From 11 November 1987 any one will be entitled, on making a written 
request and paying a fee, to be supplied by any “Data User" with a copy of any 
personal data held about him or her. The information need not necessarily be 
supplied as a printout. The Data User may choose to write or type the 
information to be supplied with any accompanying explanation. A request for 
“subject access" must be responded to within 40 days. If it is not, the 
applicant (in legal terms, the "Data Subject") is entitled to complain to the 
Data Protection Registrar. 


5. Section 29(1) of the Data Protection Act 1984 allows the Secretary of 
State to exempt from subject access personal data about the “Data Subject's" 
physical or mental health or to modify the subject access provisions in 
relation to this type of personal data. 


6. The Secretary of State has agreed that an Order should be made to modify 
the provisions of subject access relating to personal health data. The 
proposed terms of the Order are at Annex A. This should be read in 
conjunction with the draft procedural guidelines which are enclosed at Annex B. 


Modified Subject Access to Personal Health Data 


7. The Order allows access to data relating to the physical or mental health 
of the data subject to be modified to enable a data user to withhold data 
which is likely to cause serious harm to the physical or mental health of the 
Data Subject or another person, and data which would lead to identification of 
another individual other than a "Health Professional"* who has been involved 
in the care of the data subject. 


8. The general assumption is that data subjects will normally be provided 
with access to personal health information held about them on computers and 
modification of that access will only be allowed in the limited circumstances 
described in paragraph 7 above. 


9. A Data User who is not a Health Professional is required to consult the 
appropriate Health Professional as defined in the Order before providing or 
witholding access. In the absence of a response to a request for advice on 
whether information should be withheld, the Data User is obliged to provide 
access to the applicant. 


10. The data to which the Order applies is defined in article 3 of the Order. 
Procedures 


11. The Act does not prescribe the use of a standard request form. A form 
would however be useful in advising the aata Subject about the access 
arrangements, to ensure that all the information which is administratively 
necessary is provided by the data subject and to obtain the consent of the 
Data Subject to the report being copied to his general practitioner. 


12. The appeals procedure for personal health information will be the same as 


that set out in the Data Protection Act 1984. The Data Protection Registrar 
will have the benefit of medical advice. 


*The term ‘Health Professional’ means any person specified in the schedule to 
the Order. 2 
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13. The statutory time limit for providing access is 40 days from the time the 
application is accepted by the Data User as being a valid application. An 
applicant who has not received a response within this period may complain to 
the Data Protection Registrar. The Data User may have to demonstrate to the 
Data Protection Registrar's satisfaction that the application has been dealt 
with as expeditiously as possible and that there have been no unnecessary 
delays. 


14, The procedures which each Data User devises to comply with the provisions 
of the Data Protection Act 1984 will in part depend on his own local 
circumstances and the structure of his organisation. The procedures must 
allow for the administrative arrangements, the receipt of health professional 
advice and the maintenance of confidentiality of personal health information. 
Guidelines which might form the framework for local procedures are enclosed at 
Annex B. 


15. In these guidelines the Data User means the person registered under the 
Data Protection Act 1984 who controls the contents and the use of a collection 
of personal health data. This will normally mean the Health Authority or, in 
practice, a person or persons eg data coordinator or medical records clerk 
etc, acting on behalf of the Authority. The guidelines distinguish between 
these administrative personnel and the health professional who may (but not 
necessarily) be employed by the Health Authority and whose advice the Data 
User will be obliged to seek about the withholding of data before providing 
access. 
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16. The position of children and the rights of parents under the Data 
Protection Act 1984 is extremely complex. Legal advice is being urgently 
sought and further advice will be sent to health authorities as soon as 
possible. 


Action 


17. Authorities are asked to consider this guidance, to draw it to the 
attention of all Health Professionals and to determine their own policies and 
procedures in accordance with it in preparation of the Order coming into 
effect on 11 November 1987. 


From: 
Health Services Division (HS1C) 
Alexander Fleming House 
Elephant and Castle 
London SE1l 6BY 


Tel: 01-407 5522 Ext 6682 CFD 45 

Further copies of this circular may be obtained from DHSS Stores, Health 
Publications Unit, No 2 Site, Heywood, Lancs 0L10 2PZ quoting the code and 
serial number appearing at the top right-hand corner. 


(c) Crown Copyright 


This circular may be freely reproduced by all those to whom it is addressed. 
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ANNEX A 


THIS IS THE DRAFT OF AN ORDER WHICH, SUBJECT TO 
MINISTERIAL APPROVAL, THE SECRETARY OF STATE HAS IN: 
MIND TO LAY BEFORE PARLIAMENT. THE ORDER MAY BE 
AMENDED BEFORE IT IS LAID AND ONCE IT HAS BEEN LAID 
IT WILL BE SUBJECT TO AFFIRMATIVE RESOLUTION IN 
BOTH HOUSES OF PARLIAMENT. THE DRAFT ORDER AND THE 
ACCOMPANYING GUIDELINES ARE BEING ISSUED SO THAT 
DATA USERS CAN UNDERTAKE PRELIMINARY PLANNING 
ARRANGEMENTS. WHETHER IT WILL BE NECESSARY TO 
IMPLEMENT OR ALTER THESE ARRANGEMENTS WILL DEPEND 
ON THE WISHES OF PARLIAMENT. 


DATA PROTECTION (SUBJECT ACCESS MODIFICATION) 


Whereas a draft of this Order has been laid before and approved 


by a resolution of each House of Parliament: 


Now, therefore, in exercise of the powers conferred upon me 


by section 29(1) and (3) of the Data Protection Act 1984(a) and 


after consultation with the Data Protection 


accordance with section 40(3) of that Act, I hereby make the 


following Order:- 


1. This Order may be cited as the Data Protection (Subject 


Access Modification) (Health) Order 1987 and shall come into 


force on 11th November, 1987. 


2. In this Order - 


"the Act" means the Data Protection Act 1984; 


(a) 1984 c.35 


"care" includes examination, investigation 
and diagnosis; 

"dental practitioner" and "medical 
practitioner" mean, respectively, a person 
registered under the Dentists Act 1984( ) and 
the Medical Act 1983( ); 

"health authority" has the same meaning as in 
section 128(1) of the National Health Service 
Act 1977( )? 

"Health Board" has the same meaning as in 
section 108(1) of the National Health Service 
(Scotland) Act 1978( ); 

"Health and Social Services Board" has the 
same meaning as in Article 16 of the Health 
and Personal Social Services (Northern 
Ireland) Order 1972( ); 

"health professional" means any person listed 
in the Schedule to this Order; and 

"the subject access provisions" has the 
meaning which it has for the purposes of Part 
Iv of the Act. 

3.-(1) Subject to paragraph (2) below, this Order applies to 
personal data consisting of information as to the physical or 
mental health of a data subject if - 

(a) the data are held by a health professional; or 

(b) the data are held by a person other than a health 


professional but the information constituting the data 


( ) 1984 e@.24. ( ) 1983 ¢.54. ( ) 1977 e.49. This definition 
was amended by Schedule 3 to 1984 c.48. ( ) 1978 ¢.29. 
( ) 8.1.1972/1265 (N.I.14.). 


was first recorded by or on behalf of a health professional. 

(2) This Order is without prejudice to any exemption from 

the subject access provisions contained in any provision of the 
Act. 

4.-(1) The subject access provisions shall not have effect 
in relation to data to which this Order applies in any case where 
either of the requirements specified in paragraph (2) below is 
satisfied with respect to the information constituting the data 
and the obligations contained in paragraph (5) below are complied 
with by the data user. 

(2) The requirements referred to in paragraph (1) above 
are that the application of the subject access provisions - 

(a) would be likely to cause serious harm to the 

physical or mental health of the data subject or any 

other person; or 

(b) would be likely to disclose to the data subject the 

identity of another individual (who has not consented 

to the disclosure of the information) either as a 

person to whom the information or part of it relates or 

as the source of the information or enable that 

identity to be deduced by the data subject either from 

the information itself or from a combination of that 

information and other information which the data 

subject has or is likely to have. 
(3) Paragraph (2) above shall not be construed as 
excusing a data user - 

(a) from supplying the information sought by the 


request for subject access where the only individual 


whose identity is likely to be deduced as mentioned in 
sub-paragraph (b) thereof is a health professional who 
has been involved in the care of the data subject and 
the information relates to him or he supplied the 
information in his capacity as a health professional; 
or 

(b) from supplying so much of the information sought by 
the request as can be supplied without causing serious 
harm as mentioned in sub-paragraph (a) thereof or 
enabling the identity of another individual to be 
disclosed or deduced as mentioned in sub-paragraph (b) 
thereof, whether by the omission of names or other 
particulars or otherwise. 

(4) In relation to data to which this Order applies, 
section 21 of the Act shall have effect as if subsections (4) (b) 
and (5) were omitted and as if the reference in subsection (6) to 
the consent referred to in the said section 21(4)(b) were 
construed as a reference to the consent referred to in paragraph 
(2) (b) above. 

(5) A data user who is not a health professional shall 
not supply information constituting data to which this Order 
applies in response to a request under section 21 and shall not 
withhold any such information on the ground that one of the 
requirements specified in paragraph (2) above is satisfied with 
respect to the information unless the data user has first 
consulted the person who appears to the data user to be the 
appropriate health professional on the question whether either or 


both of those requirements are so satisfied. 


(6) In paragraph (5) above “the appropriate health 
professional" means - 

(a) the medical practitioner or dental practitioner who 
is currently or was most recently responsible for the 
Clinical care of the data subject in connection with 
the matters to which the information which is the 
subject of the request relates; or 

(b) where there is more than one such practitioner, the 
practitioner who is the most suitable to advise on the 
matters to which the information which is the subject 
of the request relates; or 

(c) where there is no practitioner available falling 
within sub-paragraph (a) or (b) above, a health 
professional who has the necessary experience and 
qualifications to advise on the matters to which the 
information which is the subject of the request 
relates. 

(7) Section 21(8) of the Act shall have effect, in 
relation to data to which this Order applies, as if the reference 
therein to a contravention of the foregoing provisions of that 
section included a reference to a contravention of the provisions 


contained in this Article. 


Home Office One of Her Majesty's Principal 


1987 Secretaries of State 


Article 2 


SCHEDULE 


HEALTH PROFESSIONALS 


DESCRIPTION STATUTORY DERIVATION 


(where applicable) 


Registered Medical Medical Act 1983(a ) Section 55. 
practitioner 
Registered dentist Dentists' Act 1984, section 
53(1)(b). 
Registered optician Opticians Act 1958, section 
30(1) (ec). 
Registered pharmaceutical Pharmacy Act 1954, section 
chemist or druggist 24(1) (a). 


Pharmacy (Northern Ireland) 
Order 1976, Article 6(1)(e). 


Registered nurse, midwife Nurses, Midwives and Health 
or health visitor Visitors Act 1979, section 10(f). 
Registered chiropodist, Professions Supplementary to 
dietician, occupational Medicine Act 1960, section 1(2)(g). 


therapist, orthoptist 
or physiotherapist 
(subject to the Note below.) 
Clinical psychologist, 
child psychotherapist or 
speech therapist 
Art therapist or music 
therapist employed by a 
health authority, Health 
Board or Health and Social 
Services Board 


DESCRIPTION STATUTORY DERIVATION 


(where applicable) 


Scientist employed by such 
an authority or Board as 
a head of department 


Note This category shall be construed as not including any 
person belonging to a profession specified in the first column 
which, by virtue of an Order under section 10 of the Professions 
Supplementary to Medicine Act 1960, is for the time being treated 
as if it were not mentioned in section 1(2) of that Act and as 
including any person belonging to a profession not specified 
therein which is for the time being treated by virtue of such an 
Order as if it were mentioned therein. 


(a) 1983 c.54. (b) 1984 ¢c.24. (c) 1958 c.32. 
(ad) 1954 c.61. (e) S.I.1976/1213 (N.I.22). 
(f) 1979 ¢c.36. (g) 1960 c.66. Section 1(2) was amended by 


S.I.1966/990 and S.1I.1986/630. 


EXPLANATORY NOTE 
(This note is not part of the Order) 

This Order provides for the partial exemption from the 
provisions of the Data Protection Act 1984 which confer rights on 
data subjects to gain access to data held about them ("the 
subject access provisions") of data relating to the physical or 
mental health of the data subject held by any data user where the 
data are held by a health professional or the information 
constituting the data was first recorded by or on behalf of a 
health professional. Schedule 1 to the Order lists the persons 
who are health professionals for the purposes of the Order. 

The subject access provisions are disapplied only where to 
supply the data subject with particulars of the information 
constituting the data would be likely to cause serious harm to 
his physical or mental health or that of another person or lead 
to the identification of another person (other than a health 
professional who has been involved in the care of the data 
subject). Before deciding whether either of those criteria is 
met a data user who is not a health professional is obliged by 
the Order to consult the medical practitioner or dental 
practitioner responsible for the clinical care of the data 
subject or, if there is more than one, the most suitable 
available medical or dental practitioner or if there is none 
available a health professional who has the necessary experience 
and qualifications to advise on the matters to which the 


information which is requested relates. 


GUIDELINES FOR A MODIFIED ACCESS PROCEDURE FOR COMPUTERISED PERSONAL HEALTH 
INFORMATION 


Administration 


1. Each subject access application must be examined to confirm its validity 
and that the prescribed fee has been paid. (The statutory time limit for 
providing access commences from the date when the application has been 
accepted as valid and the fee has been received. Receipt of a valid 
application should be logged). ; 


2. The application may be made by a data subject, by a person authorised by 
the data subject, [by a person in loco parentis], by a person authorised to 
act on behalf of the data subject, or by a person having a power of attorney. 
Where the applicant is not the data subject, the applicant should receive only 
the information which would otherwise have been made available to the data 
subject. 


3. If the application is defective the applicant must be advised. 


4. If the application is valid and a computer record is held in respect of 
the data subject the Data User should obtain a copy of the print out. 


5. The Data User should confirm whether the record(s) include(s) personal 
health data. (Personal health data means any personal information relating to 
the physical or mental health of any person from which that person can be 
identified and will include all information collected from the patient or 
other sources, or created or added to by the Data User. Details of birth, 
address etc within a health provision context are personal health data). 


6. If personal health data is not involved the application should be 
processed administratively. 


7. If the record includes personal health data but does not include all the 
clinical notes, the manual records should be obtained so that the health 
professionals (HPs) responsible for the clinical care of the subject can be 
identified. These records, or copies of them, may have to be retrieved from 
other locations. 


The Data User's procedures must ensure that confidentiality of patients’ 
records are fully protected. If subject access and other aspects of data 
protection are co-ordinated separately, reference to and liaison with medical 
records administrators will be necessary. 


8. The Data User should identify the person who appears to be the 
appropriate health professional to be consulted about whether personal health 
information should be withheld (the lead HP) and should not proceed with the 
data subject's application for access without doing so. 


9. A lay Data User should always send the papers (validated access request, 
computer print out and manual records) to the lead HP. The inclusion of the 
manual records is to help the lead HP to identify which other health 
professionals should be consulted and to help him decide whether access to the 
computerised data should be modified. 
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Consultation with Health Professionals 


Note: In all cases the Data User should seek the advice of the medical or 
dental practitioner who has had clinical responsibility for the data subject 
and this practitioner should seek the views of other health professionals who 
have had a significant input to the Data Subject's care. In the circumstances 
where such a practitioner is not available or has not had clinical, 
responsibility for the data subject, the data user should seek the advice of 
the health professional who seems most appropriate to advise on the subject 
matter of the request eg a nurse, health visitor or a clinical psychologist. 


10. The lead HP's actions commence with the receipt of the papers from a lay 
Data User or, if he himself is the Data User, from the time he has collected 
all the papers together. 


11. The lead HP should examine the papers to identify any other HPs who have 
first recorded data or on whose behalf data has first been recorded, who have 
had a significant input to the Data Subject's care and whose advice on whether 
to withhold data may be needed. 


12. The lead HP may wish to defer to another HP who has been clinically 
responsible for a more significant aspect of the subject's care and who will 
then be regarded as the lead HP. 


13. The other HPs should be consulted if reasonably practicable. This may 
involve circulating copies of the papers to other locations. The original 
record should be available in an emergency. 


14. Each HP consulted should familiarise himself with the Order under Section 
29(1) of the Act and indicate: 


i. the computerised data which should not be disclosed because it is 
likely to cause serious harm to the physical or mental health of the data 
Subject or another person; 


ii. the.computerised data which should not be disclosed because it is 
likely to lead to the identification of another individual othen than a 
health professional who has been involved in the care of the data subject. 


The papers should be returned to the lead HP. 


15. The lead HP should ensure that other HPs have had the opportunity to make 
their views known, 


16. The lead HP should take account of the views received from other HPs and 
he should advise what computerised data is likely to cause serious harm and 

what information relating to other individuals should be withheld. He should 
bear in mind what the data subject already knows of his manual record and that 


only information held _on computer is required to be disclosed under the terms 
of the Data Protection Act. 


17. The lead HP should prepare a report of all the computerised information 
which can be released to the applicant taking account of the advice of other 
HP(s) ensuring that it is in terms which are intelligible to the applicant. 
This does not entail describing the significance of a particular differential 
diagnosis or of a particular pathological value. 
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os! 


18. The lead HP should also prepare a separate summary indicating the various 
points which may have to be explained to the data applicant and who is the 
most appropriate HP to give an explanation and to provide any counselling that 
may be considered necessary. A further summary should indicate the data that 
has been withheld and the reasons for withholding it. This summary should be 
held in the notes for future reference and not be given to the Data Subject. 


19. The papers should be returned to the Data User, if the HP is not himself 
the Data User. 


Arrangements for Disclosure 


Note: The fact that information has been withheld could be as harmful to data 
subjects as the information itself. Data Users are therefore advised not to 
inform only those applicants from whom data has been withheld but to preface 
all reports with a standard disclaimer eg 


"This report consists of all the computerised information which [I am] 
[this authority is] obliged to provide under the terms of the Data 
Protection Act 1984 as modified by the Data (Subject Access Modification) 
(Health) Order 1987." 


If the Data Subject enquires whether information has been withheld, the Data 
User may offer an explanation of the terms of the Section 29(1) Order. The 
Data User is not obliged to disclose whether information has been withheld or 
not. If a Data User who is not a health professional discloses the fact that 
information has been withheld, the lead health professional must be notified 
as soon as possible. 


20. The Data User should ensure that the lead HP's report and summaries are 
clearly understood and recorded and should normally abide by the lead HP's 
advice. 


21. %If the lead HP has advised that no explanation or counselling is 
necessary, the Data User should forward the report to the Data Applicant, 
advise him where he may seek further explanation if he wishes, and where the 
Data Subject has consented, send a copy of the report to the Data Subject's GP. 


22. If the lead HP has advised that an explanation and/or counselling is 
necessary, the Data User should arrange an appointment for the appropriate HP 
to see the Data Subject and/or Applicant. 


23. When the appointment has been confirmed and prior to the consultation, 
all relevant papers, including the report and summaries should be sent to the 


appropriate HP. 


24. At the interview the HP should explain the report and provide any 
necessary counselling. He should give the report to the Data Applicant and 
advise him where he might seek further advice or help if this is appropriate. 


Disposal 


25. After the meeting the HP should return the papers to the Data User and, 
if the Data Subject has consented, send a copy of the report to the Data 
Subject's GP. 


JW/6073b/3 


26. The Data User should record the details of all instances in which 
access has been modified either on the grounds that it is likely to cause 
serious harm or lead to the identification of another individual. 


27. All records should be returned to the appropriate location. 


Flowchart for Procedures 


The actions set out above are intended to help Health Authorities implement 
the requirements of the modified access to personal health information 
provisions under the Data Protection Act. Authorities may wish to adapt the 
arrangements, to meet their own local circumstances or to supplement the 
guidelines with further instructions. 
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Appendix 1 
Outline of Data Protection Functions 


There is a wide variety of ways in which the various Data Protection functions may 
be discharged by assigned individuals and committees. The basic tasks are outlined 
below. 


REGIONAL HEALTH AUTHORITY 
Regionwide Data Protection Functions 


General Description 

The Regional Health Authority should maintain surveillance over all aspects of 
Data Protection throughout the Region and ensure Regional compliance with the 
Data Protection Act 1984. Adequate liaison should also be established with the 
Centre for Information Technology (CIT), the Data Protection Registrar's Office 
and, where necessary, Data Protection Officers in other Regions. 


Tasks to be assigned include: 
1 The acquisition and maintenance of knowledge of the requirements of the Data 
Protection Act 1984 and its application to the NHS 


2 Liaison with the District Data Protection Co-ordinators, District Data 
Custodians and, where necessary, the District General Managers regarding 
compliance with the Act 


3 Liaison with Districts with a view to simplifying the registration process 


4 Liaison with the Centre for Information Technology (CIT), the DHSS and the 
Registrar's Office concerning the requirements for handling Subject Access 
and security 


5 Guidance to Region and Districts on the requirements for Subject Access, 
especially for access to the Physical and Mental Health records 


6 Monitoring requests for Subject Access and responses to requests for Subject 
Access across the Region 


7 Monitoring the activities of Data Protection Co-ordinators throughout the 
Region by inspecting Data Protection and Complaint logs, Subject Access and 
Disclosure logs and by carrying out suitable Data Protection compliance 
checks 
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10 


11 


12 


Monitoring changes to working practices of all types and giving guidance 
where any such changes are found to come within the remit of the Data 
Protection Act. 


Advising the Region or District, in the event of any action being taken against 
the Region or any District, through such action at a tribunal, Magistrate's 
Court, the High Courts or other defined place 


Maintenance of regular contact between Region and Districts, and between all 
the Districts, mainly in the form of meetings 


Keeping Districts informed of any changes or implications which might from 
time to time become apparent 


Maintenance of an adequate programme of training and familiarisation with 
the requirements of the Data Protection Act throughout the Region 


13 * Monitoring the work of the Regional Data Protection Co-ordinator 


Relationships 
Liaison will need to be established with the Regional General Manager and senior 
staff in the Region's Divisions as well as with senior staff throughout the Region 


* 


Note 


According to the amount of work involved and the degree of Regionwide liaison 
considered desirable, the Regionwide Data Protection function may or may not be 
allocated to the individual(s) concerned with the implementing of the Act in the 
Regional Health Authority itself. 
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ANY HEALTH AUTHORITY 
Data Protection Co-ordination 


General Description 

The Health Authority is responsible for maintaining surveillance over all aspects of 
Data Protection throughout the Authority and ensuring compliance with the Data 
Protection Act 1984. 


Tasks to be assigned 


1 


11 
12 


3 


Acquisition and maintenance of knowledge of the requirements of the Data 
Protection Act 1984 and its application to the NHS 


Responsibility for compliance with the Data Protection Act 1984 and the Eight 
Data Protection Principles throughout the Authority's offices 


Maintenance of the Authority's registrations under the Data Protection Act 
1984 


Monitoring the Authority's compliance for security (equipment, disposal of 
printout, disclosures, etc) 


Maintenance of a register of the Authority's equipment covered by the Data 
Protection Act 1984 


Maintenance of the Authority's Register of Systems 

Receiving and processing all applications for Subject Access to the Authority's 
Data Systems and monitoring such applications through the appropriate 
departments. Ensuring that all applications are returned to the applicant 
within the time limit and are in a suitable format 

Maintenance of the Authority's Data Protection and Complaints log 


Maintenance of the Authority's Subject Access and Disclosure log 


Carrying out Data Protection Compliance checks in the Authority's 
Departments to verify compliance with the requirements of the Act 


Liaison with the Regional Data Protection function 
Monitoring changes to working practices of all types, and where any such 


changes are found to come within the remit of the Data Protection Act, to take 
appropriate action 
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13. Guiding the Authority, in the event of any action being taken against the 
authority, through such actions as at a tribunal, Magistrate's Court, the High 
Courts or other defined place. 


14 Monitoring and assisting with training of all staff in the requirements of the 
Data Protection Act within the Authority 


Relationships 
Liaison will need to be established with the General Manager and senior staff in the 


Authority 
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ANY HEALTH AUTHORITY 
Functions of Departmental Data Custodian 


General Description 
The task of the assigned Data Custodian under the Data Protection Act 1984 is 
additional to the appointee's other duties within his/her department 


The assigned Data Custodian has responsibility within his/her own Directorate for 
the Authority's use of one or more specified systems which process Personal Data. 
The Data Custodian's responsibilities apply solely to such Personal Data. 


Responsibilities 

General 

The Data Custodian is responsible for ensuring that the Eight Principles of the Data 
Protection Act 1984 are fully implemented and honoured; and that all uses of the 
systems under his/her control comply with all of: 


- the Authority's registrations under the Data Protection Act 1984 

~ the authorisations agreed with the Authority's Data Protection Co-ordinator 
- the Authority's Policy Document, Code of Practice, and 

- the Departmental User Guide, which he/she is responsible for compiling. 


‘Authorisation’ is a global term which comprises: 


- authority for the specific uses of the departmental systems, including systems 
which are considered to be exempt from various requirements of the Act and 
which must maintain any conditions under which the exemption has been 
granted 


- authority for designating specified persons to obtain, process, use and disclose 
Personal Data associated with the systems 


- authority for the safe custody of all Personal Data, and responsibility for 
ensuring that these data are not disclosed in any way incompatible with the 
Principles and definitions of the Act and the Authority's registrations 


- authority to designate which members of the department's staff have access to 
Personal Data, and to define appropriate subsets of their departmental data 
which various staff may access (if applicable), to enable each member of staff 
to undertake his/her own duties on behalf of the Authority 


- authority to make variations as systems and working procedures change from 


time to time, and to notify/consult the Regional Data Protection Co-ordinator 
accordingly 
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Subject Access 

The Data Custodian will receive the request for Subject Access from the Authority's 
Data Protection Co-ordinator. The Data Custodian will have responsibility for 
producing the Personal Data for Subject Access in an appropriate format, with 
appropriate explanations, within twenty calendar days (or other locally designated 
period) from the receipt of the applications by the Health Authority's Data 
Protection Co-ordinator. 


Data for Subject Access must be in a form which is easily understandable, and 
should not contain codes or abbreviations. If it is thought that this might be | 
inappropriate, a suitable format for the document, to include clearly defined 
definitions, must be agreed with the Authority's Data Protection Co-ordinator - for 
new systems, before implementation; for systems existing at initial registration, in 
adequate time before Subject Access becomes applicable on 11 November 1987. 


Education/Training 

The Data Custodian should be familiar with the requirements of the Data Protection 
Act 1984 and have attended a suitable seminar. He/she is responsible for seeing that 
staff in his/her department have an adequate working knowledge of their 
responsibilities under the Act, know the eight Principles and work within them. 


Documentation 

The Data Custodian must be able to satisfy the Authority's Data Protection 
Co-ordinator, all Users of the systems and any Data Subjects who enquire, that the 
systems comply with the Act and the Authority's registrations. As part of this task 
he/she will hold, update as necessary, and make available for inspection on request, 
a copy of the Authority's relevant registrations, and all other documents as may be 
issued from time to time, ie Policy Document, Code of Practice, and the 
Departmental User Manual. A list of authorised users of the various systems should 
also be maintained. 
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Appendix 2 


North East Thames Regional Health Authority 


SRR 


{ The Data Protection Office } 


tae as 


VN 


St Faith's Hospital, London Road, Brentwood, Essex CM14 4QP 
Dr Barry Barber, Data Protection Co-ordinator. Brentwood (0277) 228470 


Data Protection Co-ordinators - final date for return to my office 31 December 1986 


CONFIDENTIAL to NHS CIT DATA PROJECT 
and your Regional Data Protection Co-ordinator 


SURVEY OF DATA PROTECTION ACTIVITY 
IN THE HEALTH AUTHORITIES OF THE NHS 


Name of Authority Region/District//Special Authority/Other 
Completed by Telephone no 
DP Steering Committee 


1 a Does your Authority have a Data Protection Steering Group? YES NO 


b Does this committee deal exclusively with Data Protection and 
confidentiality matters? YES NO 
c Is this committee constituted at member/director level? YES NO 
Staffing 


2 Has your Authority appointed a Data Protection Co-ordinator/Officer 
to oversee the implementation of the Data Protection Act, 1984, within 
the Authority? Yes/ No/ in hand 


3 If yes, have the necessary responsibilities been incorporated into his/her 
job description yet? Yes/ No/ in hand 
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4 Indicate approximately the amount of staff time (in whole time equivalent 
staff) made available to carry out these duties 


Data Protection Co-ordinator/Officer Grade/Scale ....... wte 
Grade/Scale ....... wte 
Support staff Grade/Scale 1... ssssess wte 
Grade/Scale .....0 sseees wte 
Regional Liaison 
5 In the case of Regions, does your Authority 
a run Data Protection Co-ordinators meetings with its constituent YES NO 
Districts? 
b seek to monitor and co-ordinate data protection activity within 
the Region YES NO 
¢ act as an enquiry channel for District queries to CIT/Office of 
DP Registrar? YES NO 
d is time made available specifically for providing a Regionwide 
advisory/support service? YES NO 
List of equipment 
6 a Does your Authority hold a list of computers and computer 
terminals with equipment locations? Yes/ No/ in hand 
b Does this list include serial numbers? Yes/ No/ in hand 
7 a What steps have been taken to ensure that new acquisitions of 
equipment are added to the list? 
b Does this system work reliably? YES NO 
Administrative Structure 
8 a Have Data Custodians been appointed for each data system 
within your Authority? 
YES NO 
b Have they been formally advised of their responsibilities 
under the Act? YES NO 
c Are their responsibilities included in their job description yet? YES NO 
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9 a Are the Data Custodians supported by staff handling the 


day by day activities required by the Act? YES NO 
b Have they been formally advised of their responsibilities under 

the Act? : Yes/ No/ in hand 
c Are their responsiblities included in their job description yet? Yes/ No/ in hand 
d Do you call such staff Data Administrators? YES NO 


If no, please give title 


10 a Have Heads of Departments been advised of the implications 
of the Act and the need to seek specialist data protection advice 
when acquiring new equipment and/or new computer systems? YES NO 
b What steps are taken to ensure that new systems comply:- 


@) with the Act 


(ii) with the Authority's Policy and Code of Practice 


(iii) with the Authority's Registrations 


ll a Do you keep a log of your Data Protection Activity YES NO 
b Do you maintain a two-way list of sub-systems used 
by each Department and these registrations? YES NO 
12 Have you established a satisfactory management control over 
the Authority's data usage? Yes/substantially/partly/No 
Awareness Promotion 


13. How many seminars has your Authority given? ates 


14 How many staff members of your Authority have attended 
seminars on Data Protection? 


a Totalnumbers ofattenders ssa 
b Directors/Authority Members tees 
c Others ae 


d Please give total number of staff employed by Authority —.... 
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15 What attendance have you achieved in the following categories? 


Data Custodians all / most / some / none 
Support staff handling day by day activities all / most / some / none 
Heads of Departments/Sections all / most / some / none 


16 Have all staff been advised of the implications of the Data Protection Act 
1984 by note in pay envelope or otherwise? Yes/ No/ in hand 


17 Has your Authority used labels to advise staff of the legal implications 
of the Data Protection Act, 1984: 
a on equipment Yes/ No/ in hand 
b on computer output of personal information Yes/ No/ in hand 
c do you think that the labelling (whether 
programmed or manual) of computer output 


would be desirable? YES NO 
d Should there be a Data Protection warning on all computer 


output? YES NO 
Contracts 
18 Has your Authority inserted general confidentiality clauses in contracts 
or job descriptions 
of staff Yes / No / Some 
of short contract staff/outside consultants Yes / No / Some 
of suppliers of goods/services Yes / No / Some 


of suppliers of computing equipment, software and 
maintenance services? Yes / No / Some 


19 Has your Authority inserted specific Data Protection clauses in contracts 
or job descriptions 


of staff Yes / No / Some 
of short contract staff/outside consultants Yes / No / Some 
of suppliers of goods/services Yes / No / Some 


of suppliers of computing equipment, software and 
maintenance services/ ; Yes / No / Some 


PLEASE SUPPLY COPIES OF ABOVE CLAUSES 
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Policies/Code. 


s of Practice 


20 Has your Authority officially adopted a general policy on 
Data Protection 


21 Has your Authority officially adopted a general policy on the 


confidentiality of Authority Data whether computer based or 


manual? 


22 Has your Authority officially adopted a detailed code of practice 


for handling Data Protection in all Departments? 


23 Following the checklist in the CIT Guidelines on Data Protection, 
(pp 82-90), have the Departments developed adequate user manuals 


and procedures describing: 

a the general use of the departmental data systems 

b the Physical Security of the systems 

c the Access Control arrangements for the systems 

d The Data Control arrangements for the system 

e Security Procedures for the systems 

f Methods for ensuring the Accuracy of the Data 

g Methods for ensuring that data are not retained 
beyond the time for which it is required for the 
registered purpose 

h Methods for controlling Printing and Batch 
Processing services to prevent unauthorised activity 

i Methods for avoiding unauthorised photocopying 

j Methods for avoiding unauthorised copying/ 
down-loading of personal information 

k Methods for ensuring the appropriate destruction 
of unwanted output 

1 Methods for broadcasting to computer systems of 


the Authority any changes of identification/address 
material received from a Data Subject 
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YES NO 
Draft Available 


YES NO 
Draft available 


YES NO 
Draft available 


all / most / some / none 
all / most / some / none 
all / most / some / none 
all / most / some / none 
all / most / some / none 
all / most / some / none 


all / most / some / none 


all / most / some / none 


all / most / some / none 


all / most / some / none 


all / most / some / none 


all / most / some / none 
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Do you have separate codes for 


i mainframe computers YES 
ii minicomputers _YES 
iti computer network YES 
iv microcomputers YES 


Do you have separate codes of practice for personal data 
of differing sensitivity? YES 


NO 
NO 
NO 
NO 


NO 


PLEASE SUPPLY COPIES OF ABOVE POLICIES/CODES OF PRACTICE 


Passwords 


24  Inconnection with your user passwords 


a Have you adopted any general format for your passwords? YES NO 
b Do you allocate passwords? YES NO 
c Do you generate passwords from a computer algorithm? YES NO 
d Do you allow users to select their own passwords? YES NO 
e How do you avoid insecure or guessable passwords? 
f How often do you change passwords? weekly / monthly / quarterly / yearly / 
: never 
g What system have you for ensuring that passwords are 
inactivable when staff leave or change job function? 
h Does the log in procedure indicate when the password was 
last used? YES NO 
25 Do you have a complete up-to-date list of authorised users? Yes/ No/ in hand 
26  Inconsidering your system as a whole 
a Do your systems comply with the CIT checklist? Yes/ mostly/ a few/ No 
b Do you think that the security of your microcomputer 
systems is adequate? YES NO 
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¢c Do you have different procedures according to the 


data on 
i mainframe computers YES 
ii minicomputers . YES 
iti computer network YES 
iv microcomputers YES 
Registration 
27 ~~ What approach did you adopt to Registration? 
a CIT recommended approach YES 
@ A forms for patients/staff/others) 
b Single A fonn for all purposes YES 
c Multiple A forms related to geographic/administrative units YES 
d CIT approach plus additional forms YES 


28 


29 


30 


31 


32 
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clients / persons receiving services / sub-groups of population / 
electronic mail and. word processing purposes / other 


e Was this satisfactory? YES 
How many registrations did yousubmit __..... Aforms _—dsi.... 


How many amendments have you 


a found ane Aforms —Ees_—.yw. 
b submitted eee A forms aac 
Have you recorded a list of exempt systems within your Authority? YES 


Have you registered any systems which cannot be 
brought within the exemption? YES 


How do you ensure that your exempt word-processing systems are 
operated strictly within the terms of the exemption? 


NO 
NO 
NO 
NO 


NO 


NO 
NO 
NO 


NO 


B forms 


B forms 


B forms 


NO 


NO 
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Computer Bureau Services 


33 Does your Authority provide computing bureau services for other 


registered Data Users? YES NO 
If so, are you satisfied that your bureau ensures that all: 
a output is only made available to authorised representatives 
of the relevant Data Users? YES NO 
b disclosures made by your Bureau are authorised by your Data 
Users? YES NO 
c disclosures made by your Bureau are covered by their 
registrations? . YES NO 
d usage of your Data Users data by other Data Users has been 
agreed, even where it falls short of disclosure YES NO 
(ie aggregated data for planning purposes) 
e are you sure that your Bureau services fully comply with the 
eighth principle and the CIT guidelines? YES NO 
34 Does your Authority use computer bureau services from outside the 
Authority? YES NO 
If so, are you satisfied that 
a output only made available to your authorised representatives YES NO 
b disclosures made by the Bureau are authorised by you YES NO 
c disclosures made by the Bureau are coyered by your registrations YES NO 
d usage of your data by other Data Users has been agreed YES NO 
e are you sure that the Bureau services fully comply with the 
eighth principle of the Act and the CIT Guidelines YES NO 
Post-Registration Checks and Audit 
35. Have you carried out 
a pre-registration checks on all departments Data Usage YES NO 
b post-registration checks on all departments Data Usage Yes/ No/ in hand 
36 Are you satisfied that your systems are being used:- 
a in conformity with the Act yes / mostly / some /no 
b in conformity with your Authority's Policies/Code 
of practice? yes / mostly / some /no 
c in conformity with your Authority's registrations yes / mostly / some /no 
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37 


Are you intending to carry out COMPLIANCE AUDITS of your 


system? YES NO 


NHS CIT Data Protection Guidelines 


Did you have any special difficulties in understanding the guidelines? YES NO 


38 
If yes, please state sections and problems: 
39 Did you have special problems in implementing the guidelines? YES NO 
If yes, which sections presented problems? 
40 Are there areas of the guidelines which you think should be expanded, 
added or deleted? YES NO 
If yes, indicate which area: 
expand / delete / add 
expand / delete / add 
expand / delete / add 
Subject Access 


41 At the present time the only areas of doubt about subject access concems 
the Orders to be made by the Secretary of State in relation to physical and 
mental health and social work records 


a 


st 


a 


a 


Have you thought through your plans and procedures for 
handling subject access? Yes/ No/ in hand 


Have you carried out any test runs to obtain computer 
printouts from your systems as a basis for your subject access 
procedures? Yes/ No/ in hand 


Have you made any provision for obtaining plain language 
output from your systems? Yes/ No/ in harid 


Have you considered what programing may be required to 
obtain intelligible computer records for this purpose? Yes/ No/ in hand 
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e Are you intending to issue copies of printout from your main 
personnel system as a means of improving the accuracy of your 
records and providing the routine subject access (in the same way 


as the routine financial information on P60 forms) YES NO 
f Have you thought whether you could answer the worst case ; 

of subject access? YES NO 

Have you tested this? YES NO 


h Can you verify the identification of patients requesting subject 
access? YES NO 


i How? 


signed 
date 


Please return to your Regional Co-ordinator by 19 December 1986 
or direct (as agreed by your Regional Co-ordinator) to: 


Dr Barry Barber 

NETRHA Information Centre 
St Faith's Hospital 

London Road 
BRENTWOOD 

CM14 4QP 


telephone: 0277-228470 x 27 
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Appendix 3 
Analysis of Questionnaire Responses on 
Data Protection Compliance 


prepared by Paul Jansen 
Eindhoven University of Technology 


3.1 Introduction 

In December 1986 a detailed questionnaire was devised to enable an assessment to be 
made of the basic level of compliance with the Data Protection Act 1984. This 
questionnaire was sent to the Data Protection Officers and Co-ordinators of al! 
Regional and District Health Authorities; a full coverage of the country was aimed. 
(The questionnaire is shown in Appendix 2) 


The objective of the survey was to assess the degree of compliance with the Act 
within the NHS as well as to assess Data Protection Co-ordinators’ views of the 
Guidelines so they can be improved where they are inadequate. As such, the results 
of the questionnaire would be a basis for the third version of the Guidelines. 


Unfortunately as a result of a shortage of time there was no possibility to have the 
questionnaire pilotted. For this reason, some respondents appeared to have 
problems with a too limited number of answer possibilities. In addition some 
respondents did not understand some questions and in some cases it would have been 
better if some questions had been phrased in a different way, or in a different order. 


The questionnaire contained questions concerning the following fourteen parts:- 


Data Protection Steering Committee 
Staffing 

Regional Liaison 

List of Equipment 

Administrative Structure 
Awareness Promotion 

Contracts 

Policies / Codes of Practice 
Passwords 

10 _—i Registration 

11 Computer Bureau Services 

12 _‘ Post-registration Checks and Audit 
13. NHS CIT Data Protection Guidelines 
14 ~— Subject Access 


WONANMAR WD 
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By this subdivision the results of the questionnaire and their interpretation are 
described in the subsequent paragraphs of this appendix. For anyone who would 
like to see the detailed results of the questionnaire, they are available at the 
NETRHA Information Centre, St Faith's Hospital, Brentwood, Essex, 


. The answers to the questionnaire are closely related to the CIT Guidelines of 1986 
[1], because their recommendations determined in a great measure the actions the 
Health Authorities had to undertake. In most cases the question is outlined together 
with the analysis of the responses to simplify the presentation. Relevant parts of the 
CIT Guidelines are also reproduced. 


3.2 Response to the Questionnaire 

In order to obtain full coverage of the country, the Regional Data Protection 
Co-ordinators were used as intermediaries. This approach has been successful and 
resulted in a good response; the average response percentage reached a level of 
61%, which is not bad at all. The response percentages of the various Regions are 
displayed in fig. 1. The response obtained is sufficient to provide a good picture of 
the state of compliance of the Data Protection Act within the NHS. 


3.3 Data Protection Steering Committee 

The beginning of the questionnaire was to investigate to what extent a basic step in 
the implementation of the DPA such as forming a Data Protection Steering Group 
(DPSG) had been taken. 


Almost 50% of the responding Health Authorities appeared to have a DPSG, with 
the remark that it is possible that the other Authorities do have a committee which is 
concerned with similar tasks, which is not known under the name of "Data 
Protection Steering Group”. 


Of the committees of the affirming respondents only 53% deal exclusively with 
Data Protection and confidentiality matters and less than 50% are constituted at a 
Member/Director level. 


3.4 Staffing 

The staffing of Data Protection activities is poorly known or recorded. True, no 
less than 97% of the responding Authorities have acted upon the CIT Guidelines 
1986 in appointing a Data Protection Co-ordinator or Officer to oversee the 
implementation of the DPA within their Authority, but only 57% of these 
Authorities have actually incorporated the necessary responsibilities into the 
Co-ordinator's or Officer's job description. 
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REGIONS 


PERCENTAGE OF RESPONSES 


Fig. 1: Response percentages of all Regions 


Furthermore, the average time made available to carry out the Co-ordinator's and 
Officer's duties (in whole time equivalent) is no more than 0.23, with wide 
variations. 


In the Guidelines of 1986 no specific suggestion is made about the time a Data 
Protection Co-ordinator should spend on specific Data Protection tasks ("Give your 
Data Protection Co-ordinator the time and authority to carry out his or her task."). 


3.5 Regional Liaison 

In the CIT Guidelines 1986 the Regions are considered to have a co-ordinating 
position with regard to the Data Protection Act. This role consists of running 
meetings for Districts' Data Protection Co-ordinators, acting as an intermediary 
between District and Registrar etc. 


The majority of the Regional Health Authorities do act in this role. Of the 
responding Regions 64% run Data Protection Co-ordinators meetings with its 
constituent Districts, again 64% monitor and co-ordinate Data Protection activity 
within the Region and 57% of the responding Regions act as an enquiry channel for 
District queries to CIT or the Office of the Data Protection Registrar. 
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However, a slight minority of the Regions has made time available specifically for 
providing a Regionwide advisory or support service. 


3.6 List of Equipment 


For a proper registration a fully up-to-date list of equipment in use is required. 


A large majority of the Authorities (83%) keeps such a list, which contains 
computers, computer terminals and their locations. Most of them, however, do not 
include the equipment's serial numbers. , 


To ensure that these lists are kept up-to-date and therefore the Data Protection 
registration is kept up-to-date the 1986 Guidelines recommend that the Data 
Protection Steering Group must give clearance for the introduction of new 
equipment and will arrange, if necessary, for the registration of the system and will 
ensure that the procedures for protecting the Personal Data comply with the 
Authority's Code of Practice. 


In practice, most Authorities developed some kind of policy, varying form 
“Supplies and/or Finance department notifies DPSG of computer purchases" to 
"periodically a questionnaire has to be sent out to the Heads of Departments for 
current position". Some Authorities did not develop a policy for this matter, but the 
ones who did are mostly convinced that their systems work reliably (70%). 


cy Administrative Structure 
The administrative arrangements required for handling Data Protection were 
explored extensively. 


Within the responding Authorities 79% have appointed Data Custodians for their 
data systems and 69% have formally advised their Data Custodians of their 
responsibilities under the Act. Only 8% of the Authorities have included the Data 
Custodians’ responsibilities in their job description yet. 


To support the Data Custodians handling the day by day activities required by the 
Act support staff have been appointed by 56% of the Authorities. 


Of the respondents 60% have advised their staff of their responsibilities under the 
Act or are working on it. Following the same pattern as the Data Custodians, 
however, only 16% of the Authorities have officially included the staff's 
responsibilities in their job description or are in hand to do so. 


Besides that, most of the Data Custodians' staff are not called "Data Administrators" 
(only 3%), but kept their existing job title. 
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Cia 


Concerning the Heads of Departments, in 92% of the responding Authorities the 
Heads of Departments have been advised of the implications of the Act as well as the 
need to seek specialist data protection advice when acquiring new equipment. 


To ensure that new systems comply with the Act, with the Authority's Policy and 
Code of Practice, and with the Authority's Registrations different policies are 
followed by the various Authorities. Usually the new systems are checked in 
conjunction with the Data Protection Co-ordinator. 


A log of the Authority's Data Protection activity is kept by almost 60% of the 
Authorities and a small majority of 53% maintains a two-way list of subsystems 
used by each department and these registrations (which is required for Subject 
Access). 


Concluding the question if the Authority has established a satisfactory management 
control over its data usage 15% answer "Yes", 31% answer "Substantially" and 33% 
answer "Partly". Still 11% of the Authorities have to answer "No". This is 
illustrated in fig. 2. 


3.8 Awareness Promotion 

To instruct and inform their staff members most Health Authorities have given Data 
Protection seminars. The number of Data Protection seminars given by the various 
Health Authorities reaches a total of 1,191, which means approximately 8 per 
District or Regional Authority. 


The number of attenders at each seminar has not been recorded in all cases, but at 
least more than 13,800 people have been present at a Data Protection seminar (on a 
total number of NHS staff of 865,435 (in England, 1984) [2}), approximately in a 
proportion of 10% Directors/Authority Members and 90% others. 


The following can be said about the attendance the Authorities have achieved. A 
majority of the Data Custodians has attended a Data Protection seminar. The 
attendance of Support Staff is less: 41% of the Authorities answer that only "Some" 
of their Support Staff have attended a seminar. 


About the Heads of Departments 40% of the Authorities say that "Most" of them 
attended a Data Protection seminar, but still 31% say that only "Some" of them have 
attended one. 
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Fig. 2: Degree of establishment of a satisfactory management control over the 
various Authority's data usage (in cumulative percentage, referring to 
question 12 of the questionnaire) 


There are of course other ways to inform staff about the implication of the Data 
Protection Act than giving seminars. Almost 80% of the Authorities have advised 
all their staff of these implications by means of notes in pay envelopes or otherwise. 
A majority of the Authorities are using some kind of labels on their equipment 
(56%) or have the matter in hand (20%) to remind their staff of the implications of 
the Act and to keep their attention to it. 


It is different with computer output of personal information. Nearly 70% of the 
respondents do not have labels on their output of personal information. Only a 
quarter of the Authorities say to do this or to be working on it. However, most of 
them seem to think it is desirable to label computer output (69%). And the opinions 
are devided whether a Data Protection warning should be printed on all computer 
output (53% "Yes", 41% "No"). 
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3.9 Contracts 

In the CIT Guidelines of 1986 the Health Authorities are advised to develop 
appropriate clauses in contracts or job descriptions of staff and supplies, to ensure 
that they are aware of the need to protect Personal Data. 


The survey shows that the greater part of the Authorities have inserted (some) 
general confidentiality clauses in their contracts or job descriptions, mainly those 
of staff or outside consultants (77% and 66% respectively). In the contracts of 
suppliers of goods, services or computer equipment still over 50% of the 
Authorities have inserted similar general clauses. 


Only 27% of the Authorities, however, have inserted specific clauses relating to 
specific duties regarding Data Protection responsibility in the contracts or job 
descriptions of their staff. In regard to their contracts with short contract staff and 
outside consultants even only 19% of the Authorities have done this, and it is not 
much better with the contracts of suppliers of goods, services, computing 
equipment, software and maintenance services. 


3.10 Policies / Codes of Practice 

To be able to deal with all implications of the DPA and to ensure that they will be 
observed in the future it is important that all Health Authorities develop a policy and 
a Code of Practice. 


As far as a general policy on Data Protection is concerned 38% of the Authorities 
have developed such a policy and 12% have a draft available. 


Concerning a policy on the confidentiality of Authority data, whether computer 
based or manual, less Authorities have developed a policy, only 30%, and 9% have a 
draft available. 


The next step would be the official adoption by the Authority of a detailed Code of 
Practice for handling Data Protection in all departments. Of the Authorities 31% 
have adopted such a Code of Practice or are working on it; more than 60% did not 
adopt a Code of Practice. 


These figures are illustrated in fig. 3. 


In the Guidelines of 1986 a checklist had been given to summarize the suggested 
actions to ensure compliance within the Act and to give additional points to consider 
when reviewing the security, confidentiality and validation arrangements relating 
to the use of automatic data processing systems (pp 82-90). The purpose of the 
checklist was to assist Authorities in checking the probable areas where safeguards 
could be introduced. 
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Fig. 3: Measure in which the Health Authorities have adopted :- 


a general policy on Data Protection 

a general policy on the confidentiality of Authority 
Data 

a detailed Code of Practice for handling Data Protection in 
all departments 


(in percentage of answers of all Authorities, referring to 
questions 20,21 and 22 of the questionnaire) 


Following this checklist the questionnaire investigated if the departments have 
developed adequate user manuals and procedures for the various aspects of the 


Guidelines 1986. 


- Regarding the use of the departmental Data systems 40% of the Authorities say 
that "Some" of their departments have developed user manuals and 
procedures. 21% say "Most" and 17% say "None" of their departments. 


- Regarding the Physical Security of the systems (referring to Data Protection 
Principle 8 of the Act) 36% of the Authorities answer that "Some" of their 
Departments have developed user manuals and procedures, 23% answer 


"Most" and 19% answer "None" of their departments. 
8 Appendix 3. NHS Data Protection Handbook [version 3.0] August 28, 1987 


- In regard to Access Control arrangements for the systems 35% of the 
Authorities say "Some", 19% say "Most" and 17% say "None" of their 
departments have developed user manuals and/or procedures. 


- Regarding the Data Control arrangements for the systems 36% of the 
Authorities say that "Some" of their departments have developed some kind 
of user manuals or procedures, 21% say "Most" and 17% say "None” of 
their departments. 


- Regarding Security Procedures for the systems the Authorities answer: 33% 
"Some", 23% "Most" and 15% "None" of their departments have 
developed user manuals or procedures. 


-  Inregard to methods for ensuring the accuracy of the data the answers follow 
the same pattern: Of the Authorities 40% say that "Some" of their 
departments have developed user manuals or procedures, 23% say "Most" and 
17% say "None". 


- Regarding methods for ensuring that data are not retained beyond the time for 
which it is required for the registered purpose 39% of the Authorities answer 
that "Some" of their departments have developed user manuals or procedures 
for this purpose, 24% answer "None" and 15% answer "Most" of their 
departments. 


- For describing methods for avoiding unauthorized photocopying 41% of the 
Authorities say that "None", 19% say that "Some" and 9% say that "Most" of 
their departments have developed user manuals or procedures. 


- Regarding methods for avoiding unauthorized copying or down-loading of 
personal information 34% of the Authorities answer that "Some" of their 
departments have developed user manuals or procedures, 23% answer "None" 
and 14% answer "Most". 


- In regard to methods for ensuring the appropriate destruction of unwanted 
output the answers show the same pattern: 34% "Some", 21% "Most" and 17% 


"None". 


- Regarding methods for broadcasting to computer systems of the Authority any 
changes of identification or address material received from a Data Subject 35 
% of the Authorities say that "None", 31% say "Some" and 10% say that 
"Most" of their departments have developed some kind of user manuals or 
procedures. 


Separate Codes of Practice for mainframe computers, minicomputers, computer 
networks and microcomputers are not held by approximately 70% of the 
Authorities. Likewise 70% of the Authorities do not have separate Codes of 
Practice for Personal Data of differing sensitivity. 

9 Appendix 3 NHS Data Protection Handbook [version 3.0] August 28, 1987 


The overall conclusion of this paragraph is rather obvious. Some of the Authorities 
have put a great deal of effort into drafting policy documents but the total effect is 
very variable. The availability of an adequate Code of Practice will save the other 
Authorities from the effort of having to devise their own codes. 


In addition, the CIT Checklist from the Guidelines of 1986 has obviously been 
implemented in only a fragmentary way. A possible reason for this is that the 
checklist contains too many general statements which require interpretation. It 
needs to be developed into a rather more specific and practical security guide which 
distinguishes the steps required in a computing environment, facilities required 
from system suppliers, actions required from system managers and Data Custodians 
and finally action required from the individual Authorized Users. 


3.11 Passwords 

With respect to access control the CIT Guidelines of 1986 give an extensive list of 
recommendations. Most Authorities have followed these recommendations. Their 
policies with regard to access control are as follows. 


A large majority of 76% of the Authorities did not adopt a general format for their 
passwords. 


Passwords are allocated in almost 50% of the Authorities, taking into account the 
Authorities of which in some systems passwords are allocated and in some systems 
not. 


Passwords are generally not generated from a computer algorithm, although this 
would advisable; only 14% of the Authorities use computer algorithms for 
generating their passwords. 


Of the Authorities 62% allow their staff to select their own passwords. 


Computer generated passwords are usually not very guessable. Not random chosen 
passwords, however, are at risk of being insecure. According to the results of the 
questionnaire the Authorities try to avoid insecure or guessable passwords by 
supervision of the Data Custodian, line manager or Steering Group or by relying on 
the common sense of the user. Often, however, no policy has been adopted to avoid 
guessable passwords. 


To ensure that passwords are inactivated when staff leave or change job function 
most Authorities change the passwords immediately. 


Although it varies with the system in use, most Authorities do not have log-in 
procedures which indicate when the password was last used. 

Almost 60% of the Health Authorities have a complete up-to-date list of authorized 
users of their systems or have the matter in hand. 
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Considering their systems as a whole the Authorities think that mostly their systems 
comply with the CIT Checklist (51%) (See also fig. 4). Still 42% of the Authorities 
do not think that the security of their microcomputer system is adequate. In view of 
the previous answers of the Authorities and the recommendations of the CIT 
Guidelines this conclusion can be considered justified although microcomputers can 
not be considered in one line with mainframes and the like with regard to access 
control. Log-in procedures are often not necessary on microcomputers and 
therefore attempts to obtain (illegal) access to the system are rarely recorded. 
Obviously the Authorities have been busy developing some kind of policy with 
respect to passwords and access control, but not all procedures can be considered 
fully secure. 
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Fig. 4: Measure in which the Health Authorities consider their systems to 
comply with the CIT Checklist (referring to question 26a of the 
questionnaire) 


Finally approximately 40% of the Authorities have different procedures according 
to the data on their mainframe computers, minicomputers, computer network and 
their microcomputers, and 40% do not. 

11 Appendix 3 NHS Data Protection Handbook [version 3.0] August 28, 1987 


3.12 Registration 

To Register a majority of the Authorities (67%) adopted the CIT recommended 
approach of three A forms for patients/staff/others, "others" now being changed 
into "miscellaneous". Of the Authorities 7% used a single A form for all purposes, 
16% used multiple A forms related to geographic or administrative units and 17% 
of the Authorities adopted the CIT approach plus additional forms. Of the 
Authorities 88% considered their approach satisfactory. 


The number of entries varied widely; from a single entry approach up to 23 Part A 
forms and 40 Part B forms or 3 Part A forms and over 200 Part B forms. However, 
the average number of entries per Authority was 4 Part A forms and 28 Part B 
forms. Amendments have hardly been made yet. On average only 2 Part B forms 
per Health Authority. 


It is to be expected that the excessive number of entries of some Authorities will be 
found unpractical an will be re-registered as Subject Access and compliance issues 
begin to surface. 


More than 40% of the Authorities have recorded a list of exempt systems within 
their Authority. 


To ensure that the Authority's exempt word processing systems are operated strictly 
within the terms of the exemption, Authorities have developed policies like audit 
checks under control of Heads of Departments and/or Data Custodians. Some 
Authorities, however, have developed no procedure for this purpose and some of 
the Authorities have registered all their word processing systems, just to be on the 
safe side. 


3.13 Computer Bureau Services 
Of the responding Authorities 40% provides computing bureau services for other 
registered Data Users. 


A large majority of more than 80% of these Authorities are satisfied that their 
bureau ensures that all:- 


- output is made available only to authorized representatives of the relevant Data 
Users, 


- disclosures made by their bureau are authorized by their Data Users, 
- disclosures made by their bureau are covered by their registrations, 
- usage of their Data Users data by other Data Users has been agreed, even 


where it falls short of disclosure (i.e. aggregated data for planning purposes), 
and 
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- again more than 80% of the Authorities are sure that their Bureau Services 
fully comply with the eighth principle and the CIT Guidelines. 


In addition almost 80% of the Health Authorities use computer bureau services 
from outside the Authority, and again 80% of these Authorities are satisfied that:- 


- Output is made available only to their authorized representatives, 

- disclosures made by the Bureau are authorized by themselves, 

- disclosures made by the Bureau are covered by their registrations, 
- usage of their data by other Data Users has been agreed, and 


- again almost 80% of the Health Authorities are sure that the Bureau services 
fully comply with the eighth principle of the Act and the CIT Guidelines. 


3.14 Post-Registration Checks and Audit 
In order to keep registrations up-to-date and data usage in conformity with the rules 
it is important that Authorities regularly carry out checks. 


Obviously, before registration it is necessary to check all departments’ data usage. 
Otherwise a proper registration would be impossible. Almost 75% of the Health 
Authorities have actually carried out these pre-registration checks. 


Only 9% of the Health Authorities, however, have also executed post-registration 
checks on all departments, to ensure that data still are used in conformity with the 
registrations. In addition 40% of the Authorities are having some kind of 
post-registration in hand. 


Concluding, almost 90% of the Health Authorities are fully or mostly satisfied that 
their systems are being used in conformity with the Act. Nearly 70% are (fully or 
mostly) convinced that their systems are being used in conformity with their 
Authority's Policies or Codes of Practice, and no less than 92% of the respondents 
are more or less satisfied that their systems are being used in conformity with their 
Authority's registrations. (See also fig. 5.) 


In addition more than 75% of the Health Authorities are intending to carry out 


Compliance Audits of their systems, in order to ensure compliance with the DPA, 
their Code of Practice and their registrations. 
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Fig. 5: Measure in which the Health Authorities are satisfied that their systems 
are being used:- 
- in conformity with the Data Protection Act 
- in conformity with their Policies/Codes of Practice 
- in conformity with their registrations 
(in percentage of answers of all Authorities, referring to question 
36 of the questionnaire) 


3.15 NHS CIT Data Protection Guidelines 
In examining the previous Guidelines most Health Authorities had no difficulties in 
understanding them. 


However, 25% of the Authorities did have some special problems in 
implementing the Guidelines. The most often mentioned problem is the shortage 
of time to implement the Guidelines. A few Authorities had other priorities and 
were not able to disengage themselves for the implementation of the implications of 
the Act. Other Authorities mentioned that they found it rarely possible to "merge" 
all peculiarities of each system identified by a Data Custodian on to a common DPR1 
Part B form. 
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Nevertheless hardly any Authority made a suggestion to improve certain areas of 
the Guidelines. 


3.16 Subject Access 

On 11 November 1987 the final phase of the implementation of the Data Protection 
Act will take place. Among other things the Subject Access provisions of the Act 
will become effective. 


Therefore the Health Authorities are recommended by the CIT Guidelines 1986 to 
prepare themselves for this Subject Access, although there are at the present time 
still some areas of doubt about Subject Access, concerning the Orders to be made by 
the Secretary of State in relation to physical and mental health and social work. 


Apparently, far from all Authorities have thought of the Subject Access 
implications. Only 22% of the Authorities have thought through their plans and 
procedures for handling Subject Access, but more than 40% are working on it. 


A large majority of the Authorities (81%) responded that they did not carry out any 
test runs to obtain computer printouts from their systems as a basis for their Subject 
Access procedures. 


Again only 20% of the Health Authorities have made or are making provisions for 
obtaining plain language output from their systems. A same number of Authorities 
have considered or are considering what programming may be required to obtain 
intelligible computer records for this purpose. 


However, more than 50% of the Authorities are intending to issue copies of printout 
from their main personnel system as a means of improving the accuracy of their 
records and providing the routine Subject Access. 


More than 25% of the Health Authorities have thought whether they could answer 
the worst case of Subject Access, but nobody has tested this yet. 


Finally, 35% of the Authorities say that they are capable of verifying the 
identification of patients requesting Subject Access, mostly by checking 
identification papers such as passport, driver's licence and the like. 
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Appendix 4 - Data Protection 
Compliance Check List 


Notes 

1 The following questions are listed as a means of carrying out a Data Protection 
Compliance Check of the Data Protection aspects of the Authority's data usage. The 
emphasis in answering the questions should be on the existence of 
mechanisms and systems for assuring the Authority that 
appropriate steps have been taken in conformity with the Data 
Protection Act 1984. Where appropriate there should be documentary evidence 
that is admissible in court to support the responses. 


2 Enter Yes as V and No as x 
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Data User Compliance Check 

Health Authority.............ccscccsssssssssoscscescenses 
Data Protection Co-ordinator............ccccssscssseees 
Compliance check DyY..........sccsccsssssssssecsccees 


Date.../../.. Yes/No 


Registration 
Have you registered all your data usage ? 


Compliance and Advice 


Do you carry out a regular Compliance Check to ensure that all | 


your data usage is still covered by your registrations ? 

Do you carry out regular checks to ensure that all your 
registerable systems are currently operated in compliance with the 
Data Protection Principles 

Do you have access to expert advice on Data Protection ? 


Training 


_Do all Heads of Dept and Data Custodians receive training in 
-handling Data Protection matters ? 


Have all your Authorised Users had adequate training in the use of 
their computer systems ? 


Documentation 

Have all Authorised Users had copies of the Authority's relevant 
Data Protection Registrations, Policies, Code of Practice and User 
Manuals ? 


Have appropriate clauses been inserted into employees contracts 
regarding Confidentiality and Data Protection ? 


Have appropriate clauses been inserted into the contracts of Heads 
of Dept, Data Custodians and Authorised Users regarding 
Confidentiality and Data Protection ? 


Have appropriate clauses been inserted into supplier contracts 
regarding Confidentiality and Data Protection ? 


Have appropriate clauses been inserted into the contracts of 
suppliers of computer hardware, software or any repair or 
maintenance services regarding Confidentiality and Data 
Protection ? 
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Data User Compliance Check (cont) 

Staff Awareness 

Have steps been taken to ensure that new staff understand the 
importance of Confidentiality and the requirements of the Data 
Protection Act 1984 in handling Personal Data? 


Have recent steps been taken to promote the awareness of staff 
about the need for Confidentiality, the importance of ensuring the 
security of Personal Data and of avoiding unauthorised Disclosure 
of Personal Data and the requirements of the Data Protection Act 
1984 in handling Personal Data ? 


Have non-Authority staff been made aware of the Authority's 
requirements regarding the handling of Personal Data ? 


Have all Authorised Users signed a suitable compliance form? 


Are there clearly understood mechanisms to enable staff to get 
advice on matters of Confidentiality and Data Protection ? 


Have steps been taken to ensure that staff do not have access to 
more Personal Data than is required by the job they do ? 


Are suppliers of computer hardware, software or any repair or 
maintenance services required to sign a suitable compliance form 
before undertaking work involving access to the Health 
Authority's Personal Data ? 


Authority Policies 

Has the Authority adopted specific computer system selection 
procedures that meet the requirements of the Data Protection Act 
1984 ? 

Does the Authority have a general Data Protection Policy ? 


Does the Authority have a detailed Code of Practice for Data 
Protection ? 


Does the Authority have detailed User Manuals for each computer 
system containing Personal Data ? 
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Data User Compliance Check (cont) Yes/No 


Does the Authority have job descriptions covering their 
responsibilities under the Act for:- 


Data Protection Co-ordinators ? 
Heads of Department ? 

Data Custodians ? 

Regional Data Protection Officers ? 


Does the Authority have an up-to-date register of computing and 
other registerable equipment ? 


Does the Authority have a register of Authorised Computer 
Systems, listing Data Custodians and relevant Data Protection 
registrations ? 


Does the Authority have a Data Protection and Complaints Log 
recording Data Protection activity and action taken in respect of 
complaints ? 


Does the Authority have a Subject Access request and Exceptional 
Disclosure Log ? 


Disclosure Prevention 
Has the Authority taken active steps to ensure that staff only have 
access to the Pesonal Data required to perform their jobs ? 


Has the Authority taken security measure to prevent unauthorised 
access to its Personal Data held on:- 


mainframe/minicomputers 
microcomputers 

magnetic tape or discs 

microfiche (Personal Information) 
printed output (Personal Information) 


2aAano es 


Has the Authority taken steps to ensure that staff do not make 
unauthorised Disclosures of Personal Data ? 
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Data User Compliance Check (cont) 


Subject Access 

Does the Authority have rapid facilities for providing intelligible 
copies of any Personal Data that it holds on any of its computer 
systems ? 


Has the Authority tested its ability recently to obtain copies of 
Personal Data from all its registerable systems ? 


Has the Authority examined all the implications of Subject Access 
and devised appropriate measures to comply with its 
responsibilities for providing Subject Access to its systems ? 


Does the Authority monitor the time taken to handle authenticated 
Subject Access requests ? 


Does the Authority routinely comply with the 40 day period 
allowed for processing Subject Access requests ? 


Word Processing and Electronic Mail 
Does the Authority include its word processing systems within its 
register of equipment ? 


Has the Authority taken effective steps to ensure that its word 
processing and electronic mail activities are either registered in the 
normal way or operated within the exemptions of the Act ? 


Does the Authority hold any references, curriculum vitae or other 
Personal Data anywhere on its word processing systems ? 


Has the Authority carried out any recent checks on its word 


processing systems to verify that they do not contain any Personal 
Data within the meaning of the Data Protection Act 1984 ? 
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Departmental Compliance Check 

Head of Departme nt..............ceccscccccccccccecceccece 
Data  CustOdi an sviccssescsscaisesscsscswasesenasaedacevcees 
Compliance check DyY.........cccccccccccccccpecceccccoes 
Date.../../.. Yes/No 


Registration 
Is all your data usage covered by Authority registrations ? 


Do you carry out a regular Compliance Check to ensure that all 
your data usage is still covered by your registrations ? 


Do you carry out regular Compliance Checks to ensure that all 
your Authorised Users are operating your systems in compliance 
with the Data Protection Principles ? 


Do you have access to expert advice on Data Protection ? 


Do Data Custodians receive training in handling Data Protection 
matters ? 


Staff Instruction and Training 
Do you maintain an up-to-date list of all Authorised Users of your 
systems containing Personal Data ? 


Have all your Authorised Users had adequate training in the use of 
their computer systems ? 


Have all Authorised Users had copies of the Authority's relevant 
Data Protection Registrations, Policies, Code of Practice and User 
Manuals ? 


Have appropriate instructions been given to all staff regarding 
the need for Confidentiality and the requirements of the Data 
Protection Act 1984 in handling Personal Data ? 


Have appropriate instructions been given to Data Custodians and 
Authorised Users regarding Confidentiality and Data Protection ? 


Have appropriate clauses been inserted into the contracts of all 
your suppliers of computer hardware, software or any repair or 
maintenance services regarding Confidentiality and Data 
Protection ? 
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Departmental Compliance Check 
Have steps been taken to ensure that new staff understand the 
importance of Confidentiality and the requirements of the Data 


Protection Act 1984 in handling Personal Data ? 


Have recent steps been taken to promote the awareness of staff 
about the need for:- 


a protecting the security of Personal Data to which they have 
access, whether held on computer systems, magnetic media, or in 
printed form on paper or microfilm or microfiche ? 


b avoiding unauthorised Disclosure of Personal Information 
to anyone, whether employees of the Health Authority or not ? 


Have all non-Authority staff working in or for your department 
been made aware of the Authority's requirements regarding the 
handling of Personal Data ? 


Are there clearly understood mechanisms to enable your staff to 
get advice on matters of Confidentiality and Data Protection ? 


Documentation 
Have you adopted specific computer system selection procedures 
that meet the requirements of the Data Protection Act 1984 ? 


Have steps been taken to ensure that staff do not have access to 
more Personal Data than is required by the job they do ? 


Does your department have copies of the written Policy and Code 
of Practice of the Authority on Confidentiality and Data 
Protection? 


Does your department have detailed User Manuals for each 
computer system containing Personal Data ? 


Do the individuals in your department carrying out specialist 
functions under the Data Protection Act 1984. have appropriate 
items included in their job descriptions ? 


Do you have an up-to-date list of computing equipment used by 


your department and are changes automatically notified to the Data 
Protection Co-ordinator ? 
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Departmental Compliance Check 

Do you have a list of all the Authorised Computer Systems, in your 
department listing Data Custodians and relevant Data Protection 
registrations ? 


Do you make sure that any significant Data Protection activity is 
recorded in the official Authority log ? 


Data Protection Principles 
Are the Personal Data contained in the systems obtained and 
processed fairly and lawfully [DPP 1] ? 


Are the Personal Data used only for the registered purposes [DPP 
2]? 


Are steps taken to ensure that the Personal Data are only disclosed 
as registered and as required for those purposes [DPP 3] ? 


Are all the Personal Data adequate, relevant and not excessive for 
the registered purposes [DPP 4] ? 


Are the Personal Data accurate, and where appropriate for the 
registered purposes, up-to-date [DPP 5] ? 


Are the Personal Data erased or securely destroyed when they are 
no longer required for the registered purposes [DPP 6] ? 


Do you make sure that any complaints about Confidentiality or 
Data Protection are forwarded to the Data Protection Co-ordinator 
for action ? 


Subject Access Arrangements 

Do you make sure that any Subject Access requests coming direct 
to your department are forwarded immediately to the Data 
Protection Co-ordinator ? 


Have you made arrangements to be able to provide an intelligible 
copy of any Personal Data held in your computing systems in a 
form suitable for use in responding to Subject Access requests [see 
DPP 7] ? 


Can you respond suitably to all Subject Access requests within 20 
days ? 
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Security 

Have you taken appropriate security measures against unauthorised 
access to, or alteration, disclosure or destruction of Personal Data 
[see DPP 8] ? 


Have you taken appropriate security measures against the 
accidental loss or destruction of Personal Data [see DPP 8] ? 


Do you discuss any Exceptional Requests for the disclosure of 
Personal Information with the Data Protection Co-ordinator before 
making any disclosure in order to secure additional registration 
or proper recording of the Exceptional Disclosure ? 


Do your computer systems contain only Registered Personal Data 
for which only limited security is required ? 


Do any of your computer systems contain Secure Personal Data for 
which very high security is required ? 


Is the physical security of all the areas and all the equipment of your 
department adequate at all times for the Personal Data to which 
your staff have access ? 


Disclosure Prevention 
Do you ensure that staff only have access to the Personal Data 
required for their work ? 


Do you ensure that your staff take proper security measures for 
handling Personal Data on:- 


a mainframe/minicomputers 
b microcomputers 

c magnetic tapes or discs 

d microfilm or microfiche 

e printed output ? 


Do you ensure that your staff do not make unauthorised Disclosures 
of Personal Data ? 
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Departmental Compliance Check Yes/No 
Operating Systems and Log-on Procedures 

Do your computer systems carry warnings about the Data 
Protection Act 1984 and avoid giving assistances to potential 

intruders ? 


— 2 By 


2 Do your operating systems log the date, time and terminal of all 
systems accesses, successful or not? 


3 Do your systems automatically give the most recent log-on under 
any identity/password combination together with a count of the 
number of unsuccessful log-on attempts since the last successful 
log-on for the user to check the use of his account? 


4 Do your systems automatically log-off after a specified period of 
inactivity on the terminal? 


5 Can the passwords be obtained from unauthorised inspection of the 
normally functioning system? 


6 Does the system provide facilities for the automatic generation of 
passwords ? 


7 Are existing passwords disallowed when password changes are 
enforced ? 


8 Are identity/password combinations disabled after a specified 
number of access failures ? 


9 Can identity/password combinations be confined to specific 
terminals, times, systems and levels of access? 


10 Can the system require repeated verification of the password 
during long sessions and at log-off time? 


11 Can the password be displayed or printed? 


9 Networked Systems 
1 ‘Are separate passwords required for access to the network as well 


as the individual computer systems? 


2 Is the network accessible from the Public Switched Telephone 
Network? 


3 Is any Confidential or Secure Personal Data transmitted 
unencrypted over the network? 
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Departmental Compliance Check 
Application Design - Identifying Data Subjects 
Is the Data Subject's identity securely established? 

Is the Data Subject's name displayed on each screen? 


Is it necessary to separate the Data Subject's identity from his 
Personal Data ? 


Application Design - Data Accuracy 
Does the system validate the accuracy of the Personal Data as far as 
is possible ? 


Is the Personal Data entered directly by or verified by the Data 
Subject ? 


Is Personal Data received from the Data Subject or from third 
parties marked as such whenever the data is displayed or printed ? 


Does the system record the identity of the Authorised User under 
whose password the data was input ? 


Application Design - Data Security 
Is the Authorised User's name displayed on the screen ? 


Is all Personal Data labelled as such on computer output ? 


Can Personal Data be output or displayed without them being 
authorised by an appropriate password ? 


Computer Centre's Responsibilities [this includes anyone in 
actual control of computers, not simply major computer centres] 


Are full security precautions taken to ensure the integrity and 
security of the Personal Data ? 


Are sufficient back-up copies of the Personal Data available to 
ensure full system recovery following a system crash ? 


Have you recently demonstrated the ability of the system to 
recreate the data base following system failure ? 


Are blank and inadequate passwords prevented ? 
Is the system log regularly inspected to detect unauthorised access ? 
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Departmental Compliance Check Yes/No 


Are full security measures implemented to prevent tampering with 
data and to detect illegal system usage ? 


Are secure steps taken to ensure that Personal Data is only passed 
on to individuals who are properly authorised to receive it ? 


Are effective arrangements made to ensure that Personal Data are 
only disclosed against written legal instructions ? 


Are Personal Data held on computer-readable media that are not 
required for either historic or back-up purposes deliberately 
erased rather than simply having the media re-assigned to other 
uses ? 


Is Personal Information held on paper or film securely destroyed 
when it is no longer required for the purposes registered ? 


Data Custodian's Responsibilities 

In allocating passwords, are all Authorised Users restricted to the 
minimum level of access, either to inspect or to up-date Personal 
Data, consistent with the effective discharge of their jobs ? 


Do you hold copies of all the Authority's registrations under which 
your department operates ? 


Are passwords changed regularly according to the sensitivity of 
the Personal Data being processed ? 


Are passwords de-activated when staff change functions ? 

Do you have a reliable system for ensuring that the passwords of 
staff leaving the Authority, especially when disciplinary matters 
are involved, are inactivated and that their access to sensitive areas 
is withdrawn ? 

Do you only allocate passwords on an individual basis ? 


Are you able to restrict the access to sensitive systems in your 
department to particular terminals, times or individuals ? 


Do you ensure that no demonstrations are given of any of your 


systems containing Personal Data to anyone who is not normally 
entitled to access to that Personal Data? 
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Departmental Compliance Check Yes/No 


Do you encourage your staff to use a separate training database 
wherever possible, even where they are entitled to access to the 
Personal Data on the live system ? 


Do you ensure that only companies or individuals registered under 

the Data Protection Act 1984 are permitted to maintain your 
hardware and software when this involves acccess to Personal 
Data? 


Do you ensure that any use of other computer systems by your 
staff, or joint use of systems with other organisations is fully 
covered from the point of view of registration and disclosure 
under the Act ? 


Are steps taken to prevent the unauthorised printing or copying or 
photocopying of Personal Information whether in printed or 
computer-readable form ? 


Do you regularly inspect the access logs for your systems to check 
for unauthorised access or possible tampering with Personal Data ? 


Is your Confidential or Secure Personal Information kept securely 
locked away when it is not actually being used ? 


Are copies of Secure Personal Data numbered and is their usage 
carefully controlled and monitored ? 


Do you ensure that your staff have no greater level of access to 
Personal Data than their job requires ? 


Do you take particular care over the security and use of Personal 
Information held on microfilm ? 


Do you insist on personally allocating passwords where they 
cannot be generated by the system itself and disabling them after 
temporary use by in-house or outside service organisations ? 


Word Processing and Electronic Mail 
Does your department include your Word Processing and 
Electronic Mail systems within the register of equipment ? 


Has your department taken effective steps to ensure that your 
Word Processing and Electronic Mail activities are either 
registered in the normal way or operated within the exemptions of 
the Act ? 
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Does your department hold any references, curriculum vitae or 
other Personal Data anywhere on Word Processing systems ? 


Have you carried out any recent checks to verify that your Word 
Processing Systems do not contain any Personal Data within the 
meaning of the Data Protection Act 1984 ? 


Have you taken step to ensure that in respect of your use of Word 
Processing systems:- 


a 


work is organised into well-defined categories such as 
correspondence, committee minutes, reports etc ? 


define a suitable life cycle for the retention of files in each 
category of work and ensure that it is observed ? 


where unregistered person specific material is produced, 
such as references and curriculum vitae, it is not be held in 
electronic form and up-dated for repeated use ? 


{editing from paper files is acceptable but not from 
electronic files unless the person referred to is accepted as a 
Data Subject and Subject Access facilities are provided] 


where Personal Data is held this data usage has been 
registered and facilities are provided for Subject Access ? 


{in general a name index is required to make Subject Access 
reasonably straightforward] 


Have you ensured that your departmental usage of Word 
Processing and Electronic Mail conforms to the relevant 
requirements of the Eight Data Protection Principles ? 
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C Authorised User Compliance Check 
AULWOFISED USD ssivcccsasccaseccecstveccesnsccesasssasccses 
Data. Cust a wt scsiisscsceceseccnassoevassevexcassevsekiees 
Compliance check  DyY..............cccccesccscccccececeee 
Date.../../.. Yes/No 


1 Are you satisfied that your use of the computer systems is covered 
by the Authority's registrations ? 


2  Doyou ensure that the information needed to use the system is not 
accessible to someone who is not authorised to use it both during 
and outside of normal working hours ? 


3 Do you ensure that no-one other than yourself can discover any of 
your passwords for accessing the Personal Data in the computer 
systems ? 


4 Do youensure that any computer copies you make during your use 
of the system are protected by the same level of security as the 
original information ? 


5 Do you understand the implications of the Data Protection Act 
1984, the Authority's registrations under the Act and the 
Authority's policies regarding:- 


The Data Protection Principles:- 


Collection of Personal Information ? 

Use of Personal Information ? 

Disclosure of Personal Information ? 

Accuracy of Personal Information ? 

Using up-to-date Personal Information ? 

Retention of old Personal Information ? 

Access of individuals to their own Personal Information ? 
Security of Personal Information ? 


6 Do you understand that all Personal Information must be treated 


confidentially and not revealed to anyone who does not require it 
for their work for the Authority ? 
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Authorised User Compliance Check (cont) 

Do you understand that no Personal Information must be disclosed 
to anyone outside the Authority unless this disclosure has been 
agreed with the Data Custodian and is :- 


a a routine disclosure which is covered by the Authority's 
registrations ? 


b a non-routine disclosure which is covered by the 
Authority's registrations ? 


c an Exceptional Disclosure that is necessary and has been 
recorded and covered by a Disclosure Exemption under the 
Act or by a modification to the Authority's Data Protection 
Register entries? 


Do you realise that all Confidential and Secure Personal 
Information, whether on paper, film or on magnetic discs must be 
securely locked away when not in actual use ? 


Do you realise that copies of Confidential and Secure Personal 
Information, whether on paper, film or on magnetic discs, must be 
securely destroyed or erased when no longer required ? 


Do you check that when you log-on to your computer systems that 
your password has not been used by someone else since your last 
session on the computer and that the system has recorded correctly 
any log-on failures that you have made since that time ? 


Do you realise that the normal use of Word Processing and 
Electronic Mail systems brings them within the scope of the Act? 
[If the Authorised User makes any use of such systems, continue 
with the Word Processing and Electronic Mail Systems User 
Compliance Check] 
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D Word Processing and Electronic Mail Users 


Compliance Check 

WP ME? WSOP cic eats tek nncensaadootca@aacwcascsssaceavses 
Data  CUStOM AN: dccscessecssiccscsncsavssevrsnsasseessoessee 
Compliance Check  DyY...........ccccccccccecvccccccecccees 


1 Do you realise that the normal use of Word Processing and 


Electronic Mail Systems brings them within the scope of the Act ? 


2 Have you taken taken effective steps to ensure that your Word 


Processing and Electronic Mail activities comply with the 
Authority's registrations under the Act ? 


3 Do you hold any references, curriculum vitae, indexed author 


references, or other Personal Data anywhere on your Word 
Processing and Electronic Mail Systems ? 


4 Have you taken steps, in respect of your use of Word Processing 


systems to ensure that:- 


a work is organised into well-defined categories, such as 
correspondence, committee minutes, reports, etc ? 


b a suitable life cycle is defined for the retention of files in 
each category of work and ensure that it is observed ? 


c where unregistered personal specific material is produced, 
such as references and curriculum vitae, it is not held in electronic 
form and up-dated for repeated use ? 


[editing from paper files is acceptable but not from electronic files, 
unless the person referred to is accepted as a Data Subject and 
Subject Access facilities are provided] 


5 Have you carried out any recent checks on your Word Processing 


systems to verify that they do not contain any Personal Data within 
the meaning of the Data Protection Act 1984 ? 


6 Do you ensure that you can respond to any Subject Access requests 


to the Word Processing and Electronic Mail systems you use ? 


[In general a name index is required to make Subject Access 
workable] 
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Computer Bureau Compliance Check 


COMpPUter «BaP Ca Us csoscsecsdecs nace cdees eosnasvkedsennvietes 
Head of Computer Bureau.............ccccsceccscceces 


Compliance CHECK “DY discivsscsccrcenaesvencaseacavsseosee 
Date.../../.. Yes/No 


Registration 
Have you registered as a Computer Bureau as well as Data User for 
with all your own data usage ? 


Data Security 

Have you taken appropriate security measures against unauthorised 
access to, or alteration, disclosure or destruction of Personal Data 
[see DPP 8] ? 


Have you taken appropriate security measures against the 
accidental loss or destruction of Personal Data [see DPP 8] ? 


Do you discuss any Exceptional Requests for the disclosure of 
Personal Information with the Data Protection Co-ordinator 
before making any disclosure in order to secure additional 
registration or proper recording of the Exceptional Disclosure ? 


Compliance and Advice 
Do you carry out a regular Compliance Check to ensure that all 
your data usage is still covered by your registrations ? 


Do you carry out aregular Compliance Check to ensure that the 
security of all your data systems complies with the Eighth Data 
Protection Principle ? 


Do you have access to expert advice on Data Protection ? 


Training 
Do Team Leaders receive training in handling all aspects of Data 
Security and Data Protection matters ? 


Have all your staff had adequate training in the use of their 
computer systems, the importance of Confidentiality in handling 
Personal Data, Data Security and the implications of the Data 
Protection Act 1984 ? 
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Computer Bureau Compliance Check (cont) Yes/No 


Documentation 

Have all staff had copies of the Authority's relevant Data 
Protection Registrations, Policies, Code of Practice and User 
Manuals, together with the special requirements of the Computer 
Bureau in handling Data Security ? 


Have appropriate clauses been inserted into staff contracts 
regarding Confidentiality, Data Security and Data Protection ? 


Have appropriate clauses been inserted into the contracts of 
suppliers of computer hardware, software or any repair or 
maintenance services regarding Confidentiality, Data Security and 
Data Protection ? 


Staff Awareness 

Have steps been taken to ensure that new staff understand the 
importance of Confidentiality and the requirements of the Data 
Protection Act 1984 in handling Personal Data? 


Have steps been taken to ensure that new staff understand the 
importance of Data Security and requirements of the Data 
Protection Act 1984 in handling Personal Data? 


Have recent steps been taken to promote the awareness of staff 
about the need for Confidentiality and the requirements of the Data 
Protection Act 1984 in relation to Data Security and the handling 
Personal Data ? 


Have non-Computer Bureau staff been made aware of the Bureau's 
requirements regarding the handling of Personal Data, 


particularly in respect of Data Security ? 


Are there clearly understood mechanisms to enable staff to get 
advice on matters of Confidentiality, Data Security and Data 
Protection ? 


Computer Bureau Policies 

Has the Computer Bureau adopted specific computer system 
selection procedures that meet the requirements of the Data 
Protection Act 1984 ? 


Have steps been taken to ensure that staff do not have access to 
more Personal Data than is required by the job they do ? 
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E Computer Bureau Compliance Check (cont) Yes/No 
3 Does the Computer Bureau have a general Data Protection Policy ? 


4 Does the Computer Bureau have a detailed Code of Practice for 
Data Protection which places specific responsibilities on its 
Computer Bureaux? 


5 Does the Computer Bureau provide full Data Security facilities, 
recorded in the User Manuals, for each computer system 
containing Personal Data operated by the Computer Bureau? 


6 Do the staff of the Computer Bureau have items in their job 
descriptions covering the Computer Bureau's responsibilities 
under the Act for Data Protection and Data Security ? 


7 Does the Computer Bureau have an up-to-date register of 
computing equipment ? 


8 Does the Computer Bureau have a register of Computer Systems it 
offers together with draft Data Protection registrations User 
Manuals specifying how the systems meet the Data Security 
requirements of the Data Protection Act 1984 ? 


9 Does the Computer Bureau have a Data Protection and Complaints 
Log recording Data Protection activity with particular emphasis 
on breaches of all aspects of Data Security and action taken in 
respect of complaints ? 


8 Subject Access Facilities 

1 Do all the systems run by the Computer Bureau have convenient 
facilities for printing the Personal Data held in them for 
convenient and intelligible form for Subject Access purposes ? 


2 Do you make sure that any Subject Access requests arriving at the 
Computer Bureau are immediately forwarded to the appropriate 
Data User for action ? 


3 Can the Bureau respond to requests for copies of Personal 
Information from all of its systems within 20 days to enable its 
Data Users to respond to Subject Access requests within the 
allowed period of 40 days ? 
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F Computer Systems Compliance Check 
COMPUtLEr “SY SlONI siseisevcescssewsccessvsnngussenecaoesness 
Team Leader Responsible................cccccccccsccsees 
Compliance Check  DyY.............ccccccceccsccccccececee 
Date.../../.. Yes/No 


1 General System Security 

1 Are you aware of the physical situations in which your cpuieo are 
being used and is the level of security provided by the systems 
adequate for these situations ? 


2 Is the physical security of all the areas and all the equipment of 
your department adequate at all times for the Personal Data to 
which your staff have access ? 


3 Are you aware of the sensitivity of the Personal Data held in your 
systems and is the level of security provided by the systems 
adequate for this level of sensitivity ? 


4  Doany of your computer systems contain Secure Personal Data for 
which very high security is required ? 


5 Do your computer systems contain only Registered Personal Data 
for which only limited security is required ? 


6 Have you taken appropriate security measures against unauthorised 
access to, or alteration, disclosure or destruction of Personal Data 
[see DPP 8] ? 


7 Have you taken appropriate security measures against the 
accidental loss or destruction of Personal Data [see DPP 8] ? 


8 Do you discuss any Exceptional Requests for the disclosure of 
Personal Information with the Data Protection Co-ordinator 
before making any disclosure in order to secure additional 
registration or proper recording of the Exceptional Disclosure ? 


2 Operating Systems and Log-on Procedures 

1 Do your computer systems carry warnings about the Data 
Protection Act 1984 and avoid giving assistances to potential 
intruders ? 


2 Do your operating systems log the date, time and terminal of all 
systems accesses whether successful or not ? 
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Computer Systems Compliance Check 


Do your systems automatically give the most recent log-on under 
any identity/password combination together with a count of the 
number of unsuccessful log-on attempts since the last successful 
log-on for the user to check the use of his account ? 


Do your systems automatically log-off after a specified period of 
inactivity on the terminal during the log-on sequence ? 


Do your systems automatically log-off after a specified period of 
inactivity on the terminal ? 


Does the system automatically terminate the transaction if the line 
gets hung up during processing ? 


Can the passwords be obtained from unauthorised inspection of the 
normally functioning system [eg by inspecting core dumps] ? 


Are the passwords held in encrypted form ? 


Are passwords of adequate length generated randomly by the 
system and are the users prevented from using any other 
passwords? 


Does the system provide facilities for the automatic generation 
of passwords ? 


Does the system reject any trivial password [eg 2 blank password] 
and ensure that a valid password must be of a minimum length ? 


Does the system enforce password changes after a preset time or 
number of transactions ? 


Are existing passwords disallowed when password changes are 
enforced ? 


Are identity/password combinations disabled after a specified 
number of access failures ? 


Can identity/password combinations be confined to specific 
terminals, times, systems and levels of access ? 


Can identity/password combinations with access to very deep levels 
of the systems architecture or very powerful commands be 
confined to specific terminals, times and systems ? 
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Computer Systems Compliance Check 


Is the terminal automatically logged-off following a preset period 
of inactivity on the terminal ? 


Can the system require repeated verification of the password 
during long sessions and at log-off time ? 


Can the password be displayed or printed ? 


Does the system automatically erase information from unwanted 
files before re-assigning the media for other use ? 


Does the system automatically check the tape headers before 
writing new data ? 


Does the system automatically check the ownership of media 
before proceding with processing ? 


Does the system perform suitable checks on individual files before 
proceding with processing ? 

Networked Systems 

Are separate passwords required for access to the network as well 
as the individual computer systems ? 


Is the network, or any of the computer systems, accessible from the 
Public Switched Telephone Network ? 


Is any Confidential or Secure Personal Data transmitted 
unencrypted over the network ? 


Application Design - Identifying Data Subjects 
Is the Data Subject's identity securely established ? 


Does the Data Subject's identification number include any check 
digits to help authenticate the identification ? 


Is the Data Subject's name displayed on each screen ? 


Does the system ensure that some identifying Personal Data is 
mandatory before futher transactions can proceed ? 


Is it necessary to separate the Data Subject's identity from his 
Personal Data ? 
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F Computer Systems Compliance Check Yes/No 


5 Application Design - Data Accuracy 
Does the system validate the accuracy of the Personal Data as far as 
is possible ? 


— 


2 Is the Personal Data entered directly by or verified by the Data 
Subject ? 


3 Is Personal Data received from the Data Subject or from third 
parties marked as such whenever the data is displayed or printed ? 


4 Does the system record the identity of the Authorised User under 
whose password the data was input ? 


5 Does the system have bulk output facilities for issuing Data 
Subjects with copies of their Personal Data in order to improve the 
accuracy of these data ? 


6 Application Design - Data Security 

1 Does the system have clearly documented methods of recovering 
from hardware or software failure to ensure that there is no loss or 
corruption of Personal Data ? 


2 Have the recovery procedures been recently demonstrated to the 
Data Custodian as being fully effective ? 


3 __ Is the Authorised User's name displayed on the screen ? 
4 — Isalli Personal Data labelled as such on all computer output ? 


5 Can Personal Data be output or displayed without being authorised 
by an appropriate password ? 


6 Have arrangements been made to reduce the possibility of 
unauthorised printing or copying of Personal Data ? 


7 Does the system always include a record of the time terminal and 


identity of the authorising individual as an integral part of the 
output ? 
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7 Operational Responsibilities 
1 Are full security precautions taken to ensure the integrity and 
security of the Personal Data ? 


2 Are sufficient back-up copies of the Personal Data available to 
ensure full system recovery following a system crash ? 


3 Are back up copies kept at a remote site to guard against risks from 
fire, flood and major computer centre destruction ? 


4 Have you recently demonstrated the ability of the system to 
recreate the data base following system failure ? 


5 Is the system log regularly inspected by the relevant Team Leader 
to detect unauthorised access ? 


6 Are full security measures implemented to prevent tampering with 
data and to detect illegal system usage ? 


7 Are secure steps taken to ensure that Personal Data is only passed 
on to individuals who are properly authorised to receive it ? 


8 Are effective arrangements made to ensure that Personal Data are 
only disclosed against written legal instructions ? 


9 Are Personal Data held on computer-readable media that are not 
required for either historic or back-up purposes deliberately 
erased rather than simply having the media re-assigned to other 
uses ? 


10 Is Personal Information held on paper or film securely destroyed 
when it is no longer required for the purposes registered ? 


11 Are all batch processing runs properly authorised as valid 
requests? 


12 Do you hold copies of any Data Protection registrations where the 
Computer Bureau undertakes any services beyond the strict 
services of a Computer Bureau [eg making registered disclosures 
of Personal Information to third parties] ? 
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F Computer Systems Compliance Check Yes/No 


8 System Manager's Responsibilities 

1 In allocating passwords, are all Authorised Users restricted to the 
minimum level of access, either to inspect or to up-date Personal 
Data, consistent with the effective discharge of their jobs ? 


2 Do you verify that all Data Users utilising your system are 
properly registered under the Data Protection Act 1984 ? 


3. Are passwords changed regularly according to the sensitivity of 
the Personal Data being processed ? 


4 _ Are passwords de-activated when staff change functions ? 


5 Do you have a reliable system for ensuring that the passwords of 
staff leaving the Authority, especially when disciplinary matters 
are involved, are inactivated and that their access to sensitive areas 
is withdrawn ? 


6 Do you only allocate passwords on an individual basis ? 


7 Are you able to restrict the access to sensitive systems in your 
department to particular terminals, times or individuals ? 


8 Do you ensure that no demonstrations are given of any of your 
systems containing Personal Data to anyone who is not normally 
entitled to access to that Personal Data? 


9 Do you encourage your staff to use a separate training database 
wherever possible, even where they are entitled to access to the 
Personal Data on the live system ? 


10 Do you ensure that only companies or individuals registered under 
the Data Protection Act 1984 are permitted to maintain your 
hardware and software when this involves acccess to Personal 
Data? 


11 Do you ensure that any use of other computer systems by your 
staff, or joint use of systems with other organisations is fully 
covered from the point of view of registration and disclosure 
under the Act ? 


12 Are steps taken to prevent the unauthorised printing or copying or 
photocopying of Personal Information whether in printed or 
computer-readable form ? 
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Computer Systems Compliance Check 


Do you regularly inspect the access logs for your systems to check 
for unauthorised access or possible tampering with Personal Data ? 


Is your Confidential or Secure Personal Information kept securely 
locked away when it is not actually being used ? 


Are copies of Secure Personal Data numbered and is their usage 
carefully controlled and monitored ? 


Do you ensure that your staff have no greater level of access to 
Personal Data than their job requires ? 


Do you take particular care over the security and use of Personal 
Information held on microfilm ? 


Do you insist on personally allocating passwords where they 
cannot be generated by the system itself and disabling them after 
temporary use by in-house or outside service organisations ? 


Do you ensure that no demonstrations are given of any systems 
containing Personal Information to anyone who is not authorised 
to see such Personal Information by the appropriate Data User ? 


Word Processing and Electronic Mail 
Does your department include your Word Processing and 
Electronic Mail Systems within the register of equipment ? 


Has your department taken effective steps to ensure that your 
Word Processing and Electronic Mail activities are either 
registered in the normal way or operated within the exemptions of 
the Act ? 


Does your department hold any references, curriculum vitae or 
other Personal Data anywhere on Word Processing systems ? 


Have you carried out any recent checks to verify that your Word 
Processing Systems do not contain any Personal Data within the 
meaning of the Data Protection Act 1984 ? 
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5 Have you taken steps in respect of your use of Word Processing 
systems to ensure that:- 


1 work is organised into well-defined categories such 
as correspondence, committee minutes, reports etc. ? 


2 a suitable life cycle is defined for the retention of files in 
each category of work and ensure that it is observed ? 


3 where unregistered person specific material is produced, 
such as references and curriculum vitae, it is not held in electronic 
form and up-dated for repeated use ? 


[editing from paper files is acceptable but not from electronic files 
unless the person referred to is accepted as a Data Subject and 
Subject Access facilities are provided ] 


4 where Personal Data is held this data usage has been 
registered and facilities are provided for Subject Access ? 


[in general a name index is required to make Subject Access 
possible] 


6 Have you ensured that your departmental usage of Word 
Processing and Electronic Mail conforms to the relevant 
requirements of the Eight Data Protection Principles ? 
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Appendix 5 
Glossary and Index 


In the following notes The Data Protection Act 1984 is referred to as the "Act", the 
_ Notes to Help You Apply for Registration are referred to as the “Notes” and the 

eight new Guidelines from the Registrar's Office are referred to as G1 to G8. The 
original Guideline No 1 and the booklets of Questions and Answers, published by 
the Registrar, are no longer in print and have been superceded by the eight new 
Guidelines. 


Computer Bureau "A person carries on a ‘computer bureau if he provides other 
persons with services in respect of data, and a person provides such services if- 


a as agent for other persons he causes data held by them to be processed 
as mentioned in subsection (2) above {"Data"} or 

b he allows other persons the use of equipment in his possession for the 
processing as mentioned in that subsection of data held by them" [Act 
1(5)]. 


"A person" - to fall within this definition a person does not have to be in business as 
a Bureau. Nor does he even have to take any part in the actual processing of the 
data. It is sufficient that he makes equipment in his possession available for use by 
another Data User. Many Data Users will, therefore, find that they need to register 
as "a Data User who also carries on a Computer Bureau". This is a simple matter 
catered for, without extra cost, in the registration process [G2 12-13]. 


Data "means information recorded in a form in which it can be processed by 
equipment operating automatically in response to instructions given for that 
purpose” [Act 1(1)] 


"In a form" - effectively this covers anything recorded in equipment readable form. 
So, printed material may be "data" if it can be processed in that form (eg by the use 
of optical character recognition). However, the use of such material is regulated by 
the Act only if you actually process or intend to process it in that form. 


"Equipment operating automatically in response to instructions" - this phrase may 
be taken to cover stored program processors and their peripherals whether the 
program is in software or hardware form or a mixture of both. Thus it covers 
mainframe, mini and micro computers, word processors and punched card 
- processors [G2 4-5]. 
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Data Subject "means an individual who is the subject of personal data" [Act 1(14)] 


"An individual" - a Data Subject need not be a United Kingdom resident. A 
company is not an individual and cannot be a Data Subject. However, persons in 
business on their own account (sole traders) are individuals and therefore can be 
Data Subjects [G2 8]. 


Data User "means a person who holds data, and a person ‘holds' data if- 
a the data form part of a collection of data processed or intended to be 


processed by or on behalf of that person as mentioned in subsection (2) 
above {defining "Data"} and 


b that person (either alone or jointly or in common with other persons) 
controls the contents and use of the data comprised in the collection; 
and 

c the data are in the form in which they have been or are intended to be 


processed as mentioned in paragraph (a) above or (though not for the 
time being in that form) in a form into which they have been converted 
after being so processed and with a view to being further so processed 
on a subsequent occasion" [Act 1(5), G2 9 - 11]. 


Disclosing "in relation to data, includes disclosing information extracted from the 
data; and where the identification of the individual who is the subject of personal 
data depends partly on the information constituting the data and partly on other 
information in the possession of the data user, the data shall not be regarded as 
disclosed or transferred unless the other information is also disclosed or 
transferred" [Act 1(9), G2 18-19]. 


There are several exemptions from the "non-disclosure" provisions of the Act [see 
also G6 27-35]: 


i disclosures made for one of the law enforcement or revenue purposes 
listed at (i) in subject access exemptions. But the exemption only 
applies if the person making the disclosure has reasonable grounds for 
believing that a failure to disclose would be likely to prejudice one of 
those purposes; 


ii disclosures required for national security reasons. This may apply to 


personal data not exempt from the Act as a whole for reasons of 
national security; 
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vi 


if there is any challenge, a certificate signed by a Minister of the Crown 
to the effect that the disclosure was required for the purpose of 
safeguarding national security will be conclusive evidence of that fact; 


disclosures required by law or by order of a court for the purpose of 
obtaining legal advice or in court proceedings where the user is a party 
or witness; 


any disclosure made to the Data Subject, or to someone acting on his 
behalf, or at the Data Subject or that person's request, or with the Data 
Subject or that person's consent; 


disclosures to the Data User's or Computer Bureau's servants or agents 
for the purpose of performing their duties on his behalf. Such 
disclosures do not need to be registered by the Data User, but note that 
the data so disclosed is still governed by the Data User's register entry 
in other respects - for example, the purposes for which it is used; 


disclosures required urgently for the prevention of injury or damage to 
health of any persons(s) 


Holding Data "a person holds data if- 


a 


the data form part of a collection of data processed or intended to be 
processed by or on behalf of that person as mentioned in subsection 
(2) above {defining "Data"} and 


that person (either alone or jointly or in common with other persons) 
controls the contents and use of the data comprised in the collection; 
and 


the data are in the form in which they have been or are intended to be 
processed as mentioned in paragraph (a) above or (though not for the 
time being in that form) in a form into which they have been converted 
after being so processed and with a view to being further so processed 
on a subsequent occasion" [Act 1(5)] 


Person "is a legal person and, as well as individuals, companies and other 
corporate and unincorporated bodies are persons. Except in Scotland, a partnership 
is not a legal person distinct from its members and the partners themselves may need 
to register as Data Users - this will be considered in the development of the 
registration process” [G2 26-31]. 
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Personal Data "means data consisting of information which relates to a living 
individual who can be identified from that information (or from that and other 
information in the possession of the data user), including any expression of opinion 
about the individual but not any indication of the intentions of the data user in 
respect of that individual" [Act 1(3)]. 


"Information which relates to" - whether an item of information "relates to" an 
individual is a question of fact which must be determined in the particular 
circumstances which arise. Consideration will be given as to whether any useful 
"rules of thumb" can be developed to help in that determination. 


"A living individual" - if the subject is dead or is not an individual (eg if it is a 
company) the information cannot constitute personal data. 


"Can be identified" - the identification may be direct - eg where the subject's name is 
recorded as part of the data - or indirect eg where the data contain a code from 
which, by reference to a separate list in your possession, the subject can be 
identified. 


"Not any indication of the intentions" - it is only your intentions which are excluded 
not those of third parties....[Act 1 (3), G2 6] 


Preparing Text of Documents "Processing" shall not be construed as applying 
to any operation performed only for the purpose of preparing the text of documents 
[Act 1(8)]. 


Processing, "in relation to data, means amending, augmenting, deleting or 
re-arranging the data or extracting the information constituting the data and, in the 
case of personal data, means performing any of those operations by reference to the 
data subject" [Act 1(7)]. 


“Processing” - this is a wide definition but remember that the only "processing" 
with which the Act is concerned is the type mentioned in subsection "Data" ie 
processing by equipment operating automatically in response to instructions given 
for that purpose. 


"Extracting the information" - operations such as transmission, display and printing 
are Caught since, in each case, extraction is an element of the operation. 


"Processing by reference to the Data Subject" - this is another very important 
phrase. More consideration needs to be given to the meaning of this phrase. It will 
only be fully illuminated by decisions of the courts covering different 
circumstances. The key element is that of obtaining information about a specific 
individual by whatever technical means this is achieved. [G2 14-15] 
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Index to Act and 
the Registrar's Guidelines 


Accuracy G4 14-15 
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Data Protection Registrar Act 3(1-2) G1 14-15 
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---2nd G4 11 
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---4th G4 14-15 

---5th G4 16-18 

---6th G4 19-20 

---7th G4 21-22 
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Data Subjects Act 1 (4) G14 G28 
---Rights G1 10-11 G5 

Data User Act 1 (5) G14 G2 9-11 
---Agents Act 5 (3) 
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Definitions G2 
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Disclosing Act 1 (9) G2 18-19 

Disclosure of Personal Data G1 14 

---Unauthorised Act 15 (1-3) 


Disposal of Computer Output G4 25 
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Electronic Mail G3 25-27 


Enforcement and Appeals G7 

---Appeals to Tribunal G7 15-17 
---Criminal Prosecutions G7 20-21 
---Deregistration Notices G7 8-10 
---Enforcement Notices G7 5-7 
---Introduction G7 3-4 
---Powers of Entry G7 18-19 
---Powers of Inspection G7 18-19 
---Summary of Offences G7 22-23 
---Transfer Prohibition Notices G7 11-14 
Enforcement Notice Act 10 (1-9) G7 5-7 
Exemptions Gl 6-7 G6 
~--Domestic & Recreational Purposes G6 7-8 
---General G6 4-6 
---Mailing Lists G6 17-19 
---Payroll, Pensions & Accounts G6 10-15 
---Required by Law G6 8-9 
---Subject Access G6 27-35 
---Unincorporated Clubs G6 15-17 
Groups of Companies G3 28-29 
Holding Personal Data G2 20-25 

Home Computers G6 7-8 
Implementation of the Act G1 17-18 

Individual’s Rights G5 
---Compensation for Inaccuracy G5 19-21 
---Compensation for Loss G5 22-23 
---Compensation for Unauthorised Disclosure G5 22-23 
---Complaints to Registrar G5 26-27 
---Correction or Erasure G5 24-25 
---Examination Marks G5 15-16 
---Identifying Individual G5 8-10 
---Information Relating to OthersGS5 13-15 
---Locating Personal Data G5 10-13 


---Requests on Behalf of Adult G5 16-17 
---Requests on Behalf of Child G5 17-18 


---Subject Access G5 4-9 
Internal Disclosures G3 28 
Internal Sources G3 28 
Introduction to the Act Gl 
Jurisdiction G2 36-38 
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Marking Data Act 22 (1-3) G5 20,24 


Microfilm & Microfiche G2 32-34 
Non-Disclosure Exemptions G6 20-26 
---Emergency Disclosures G6 26 
---General G6 20-21 
---Legal Purposes G6 25-26 
---Modification to Exemptions G6 26 
---National Security G6 25 
---Prevention of Crime G6 24-25 
---Taxation Purposes G6 24-25 
---To Agents G6 23 
---To Data Subjects G6 21-22 
---To Employees G6 23 
---With Consent G6 21-22 : 
Offences Act 5 (5) Act 15 (3) Act 16 G3 7-8 * 
Office Automation G3 25-27 
Orders 

---Health Data Act 29 (1) 
---Mental Incapacity Act 21 (9) 
---Registration Particulars Act 4 (8) 
---Sensitive Data Act 2 (3) 
---Social Work Data Act 29 (2) 


---Subject Access Exemption Act 34(2) Act 30 (2) 
Overseas Branches 


Payroll and Accounts G6 10-15 

Personal Data Act 1 (3) G14 G2 6-7 
---Held by the Data User G2 20-25 

---Holding Act 1 (5) Act 5 (1-5) 
Preparing the Text of Documents Act 1 (8) G2 16-17 

Processing Act 1(7-8) G2 14-15 

Register 

---Access to G19 G3 21 

Registration Act6(1-8) Act7(1-9) G34-6 
---Acceptance or Refusal Act 7 (4-9) G3 16-17 
---Alterations G3 15 

---Applications G3 9-12 

---Data Classes Notes 39-45 

---Disclosures for Maintenance G3 29-31 

---Effect of Refusal G3 18-19 

---Forms Notes 4-11 

---Groups of Companies G3 28-29 


---Internal Sources & DisclosuresG3 28 
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---Office Automation 
---Partnerships 
---Purposes 

---Related Organisations 
---Removal 

---Renewal 

---Separate 

---Sources & Disclosures 
---Standard Data Classes 
---Standard Purpose Codes 
---Worldwide 

Removal of Registration 
Renewal of Registration 


Security 

Subject Access 

Subject Access Exemptions 
---Back Up Data 


---Credit Reference Agencies 


G3 25-27 
G3 23-24 
Notes 12-38 
G3 28 

G3 20 

G3 20 

G3 13-14 
G3 24-25 
Notes 39-45 
Notes 12-38 
G3 22-23 
G3 20 

G3 20 


G4 23-26 
G1 12 G5 4-10 


G6 31 
G6 31-32 


---Disclosures Prohibited by Law G6 32 


---Financial Regulatory Bodies 


---General 

---Health Data 
---Incriminating Data 
---Judicial Appointments 


---Legal Professional Privilege 


---Prevention of Crime 
---Social Work Data 


---Statistical or Research Data 


---Taxation Purposes 


Telephone Logging Equipment 


Text Preparation 
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Unincorporated Clubs 


Word Processing 
World Wide Transfers 
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G6 33-34 
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G6 29 

G6 29-30 
G6 27-28 
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G6 27-28 


Act1(8) G2. 16-17 
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Act 12 (1-11) G7 11-14 


G6 15-17 


G2 16-17 
G3 22-23 
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Appendix 6 
Reference Organisations and Bibliography 


The following bodies have expertise in handling Data Protection:- 
1 The Office of the Data Protection Registrar 


Springfield House 
Water Lane 
WILMSLOW 
Cheshire 

SK9 5AX 


0625-535777 (enquiries) 
0625-535711 (administration) 


The Registrar's Office is the organisation primarily responsible for securing 
compliance with the Data Protection Act 1984. It provides the forms for 
registration under the Act and maintains the Data Protection Register which may be 
consulted there or in local libraries. Copies of specific register entries may also be 
obtained. The Registrar's Office has issued a series of useful booklets on various 
aspects of the implementation of the Data Protection Act 1984 and will give general 
guidance on specific issues although it cannot, of course, interpret the law. 


2 The British Computer Society 


13 Mansfield Street 
LONDON 
W1M OBP 


01-637-0471 


This is the chartered professional body concerned with computing based on 
individual membership. It has been involved in aspects of Data Protection over the 
last two decades and assisted in shaping the final version of the Data Protection Act 
1984. It provides advice on computing standards and has a Data Protection Policy 
Committee as well as a Data Protection Specialist Group which holds meetings for 
those interested in Data Protection issues. It runs both basic and advanced courses in 
Data Protection as well as maintaining a register of those computing professionals 
specialising in this area. 


1 Appendix 6 NHS Data Protection Handbook {version 3.0) August 28, 1987 


3 National Computing Centre 


Oxford Road 
MANCHESTER 
M1 7ED 


061-228-6333 


This is a non-profit organisation of which organisations may become members. It 
has established itself as a centre of excellence in computing matters. It publishes a 
number of monographs on computing and organises seminars on Data Protection 
among many other topics. It organises Data Protection activities in its Information 
Technology Security Circle. It was involved with the NHS Training Authority and 
the NHS Centre for Information Technology in producing the excellent Data 
Protection Act Resource Pack for training staff in the implications of the Act. 


4 Department of Health and Social Security 


Alexander Fleming House 
Elephant and Castle 
LONDON 

SE1 6BY 


01-407-5522 


The DHSS provides a two way link with other government departments (eg CCTA) 
and is involved with NHS working parties in preparing Guidelines for the 
protection of Personal Data held in computer systems. They are shortly expected to 
bring out a Code on Confidentiality of Personal Health Information which is 
concerned with the disclosure of Personal Information by the NHS where the Data 
Subject's consent has not been specifically obtained. 


5 Central Computer and Telecommunications Agency (CCTA) 
This is the organisation that provides advice on computer subjects to central 


government departments. It provides relevant advice in CCTA newsletters which 
are accessible to Health Authorities via the DHSS. 
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6 National Health Service Centre for Information Technology 


19 Calthorpe Road 
Edgbaston 
BIRMINGHAM 
B15 1RP 


021-454-1112 


The CIT provides advice for the NHS on the broad field of Information Technology 
and the co-ordination of initiatives and activities in this field for the benefit of the 
NHS as a whole. 


The CIT assisted the NHS through Registration with Data Protection Guidelines 
issued in February 1986. This report was updated in the light of the experience of 
Registration and developed into an updatable Data Protection Handbook. The 
consultant engaged to assist in this work was Dr Barry Barber, NETRHA 
Information Centre, St Faith's Hospital, Brentwood CM14 4QP [0277-228470]. 
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Abbott W, Barber B and Peel V - Information Technology in Health Care. 
Kluwer Publishing in association with the Institute of Health Service Management - 
ISBN 0 903 39393 X. 1986. 


Advertising Association - Code of Practice Covering the use of Personal Data 
for Advertising and Direct Marketing Purposes. Advertising Association. March 
1987. 


Bourn C and Benyon J (ed) - Data Protection Perspectives on Information 
Privacy. University of Leicester. 1983. ISBN 0 901507 27 X 


British Computer Society Data Protection Committee - Code of Practice. 
BCS. July 1986. 


British Computer Society's Data Protection Specialist Group Working 
Party on Subject Access - Report and Recommendations. BCS. May 1987. 


CCTA - Recommended procedures to safeguard the integrity to data in computer 
installations. Central Government Code of Practice 21. 


CCTA - Protection of Information in Computer Systems. CSD Central Computer 
Agency 


CIT - Data Protection Guidelines. NHS Centre for Information Technology, 
Birmingham. January 1986. 


CIT/NCC - The Data Protection Act 1984 Resource Pack. NHS Centre for 
Information Technology, Birmingham, and the National Computing Centre, 
Manchester. 1985. 


Committee of Vice-Chancellors and Principals - Data Protection Act 1984. 
Code of Practice for Universities. Committee of Vice Chancellors and Principals. 
London. ISBN 0 948890 029 


Committee on Data Protection - Sir Norman Lindop. HO Command 7341. 
HMSO 1978. ISBN 0 10 1734107 


Committee on Privacy - Rt Hon K Younger. HO Command 5012. HMSO 1976. 


Council of Europe - Convention for the Protection of Individuals with Regard to 
Automatic Processing of Personal Data. No 108. Strasbourg 28.1.1981. ISBN 92 
871 0022 5 


Council of Europe - Explanatory report on the Convention for the Protection of 
Individuals with regard to Automatic Processing of Personal Data. Strasbourg 
1981. 


4 Appendix 6 NHS Data Protection Handbook [version 3.0] August 28, 1987 


Council of Europe - Regulations for Automated Medical Data Banks. 
Recommendation No R [81] 1. Strasbourg 1981. 


Council of Europe - Protection of Personal Data used for Scientific Research and 
Statistics. Recommendation No R [83] 10. Strasbourg 1984. ISBN 92 871 0317 8 


Data Protection Act 1984 - HMSO London 


Elbra RA - Guide to the Data Protection Act. NCC Publications, Manchester. 
1984. 


Elbra RA - Implications of the Data Protection Act. NCC, Manchester. 1985. 


Elbra RA - Security Review Manual. NCC Publications, Manchester. 1986. 
ISBN 0 85012 523 5 


Evans A - Data Protection Policies and Practice. Institute of Personnel 
Management. 1987. ISBN 0 85292 385 6 


General Medical Services Committee - Guidance to General Medical 
Practitioners on Data Protection Registration. General Medical Services 
Committee. February 1986. 
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